Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe

Overview

General Information

Sample name:17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe
Analysis ID:1561243
MD5:efe072b9e2cfab94dffb3e877a857c7c
SHA1:5612312c9f8a3bcd24472e6c04260b6511aaeb58
SHA256:79e064130e4eca877a7724b2440575c365ecbecf2174c100ce9bdf10d6c73e6d
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Machine Learning detection for sample
Uses dynamic DNS services
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["sostener.duckdns.org:2024:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-P8SKN0", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "registros.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aaf8:$a1: Remcos restarted by watchdog!
        • 0x6b070:$a3: %02i:%02i:%02i:%03i
        17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64e04:$str_b2: Executing file:
        • 0x65c3c:$str_b3: GetDirectListeningPort
        • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65780:$str_b7: \update.vbs
        • 0x64e2c:$str_b9: Downloaded file:
        • 0x64e18:$str_b10: Downloading file:
        • 0x64ebc:$str_b12: Failed to upload file:
        • 0x65c04:$str_b13: StartForward
        • 0x65c24:$str_b14: StopForward
        • 0x656d8:$str_b15: fso.DeleteFile "
        • 0x6566c:$str_b16: On Error Resume Next
        • 0x65708:$str_b17: fso.DeleteFolder "
        • 0x64eac:$str_b18: Uploaded file:
        • 0x64e6c:$str_b19: Unable to delete:
        • 0x656a0:$str_b20: while fso.FileExists("
        • 0x65349:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x146f8:$a1: Remcos restarted by watchdog!
              • 0x14c70:$a3: %02i:%02i:%02i:%03i
              00000000.00000000.2025659738.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                Click to see the 7 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  0.2.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    0.2.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      0.2.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                      • 0x6aaf8:$a1: Remcos restarted by watchdog!
                      • 0x6b070:$a3: %02i:%02i:%02i:%03i
                      0.2.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                      • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
                      • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                      • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                      • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                      • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                      • 0x64e04:$str_b2: Executing file:
                      • 0x65c3c:$str_b3: GetDirectListeningPort
                      • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                      • 0x65780:$str_b7: \update.vbs
                      • 0x64e2c:$str_b9: Downloaded file:
                      • 0x64e18:$str_b10: Downloading file:
                      • 0x64ebc:$str_b12: Failed to upload file:
                      • 0x65c04:$str_b13: StartForward
                      • 0x65c24:$str_b14: StopForward
                      • 0x656d8:$str_b15: fso.DeleteFile "
                      • 0x6566c:$str_b16: On Error Resume Next
                      • 0x65708:$str_b17: fso.DeleteFolder "
                      • 0x64eac:$str_b18: Uploaded file:
                      • 0x64e6c:$str_b19: Unable to delete:
                      • 0x656a0:$str_b20: while fso.FileExists("
                      • 0x65349:$str_c0: [Firefox StoredLogins not found]
                      Click to see the 7 entries

                      Sigma Signatures

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Remcos
                      Source: Registry Key setAuthor: Joe Security: Data: Details: 59 0E FA E9 60 5D 86 D4 1E C7 9F 77 27 65 CA 36 9B 0C BA BB 32 4C E4 2E EE 71 78 67 7F B3 19 0B CD 23 F4 A4 20 34 7F AE 7B 9F 6E FD 73 43 8E 88 86 62 3E 58 D0 C4 51 B4 49 C0 F0 1A 3E 30 B7 F8 75 50 A1 D1 DA CE 71 C6 3C DA B2 BE EE 01 6D B0 5C E0 98 CE 75 18 0E 6D 12 40 7C CF 1A 5A 1C 74 68 55 22 2A 4B FC 62 DD E8 B1 FD 32 44 A4 96 1D 53 7E DC CD A0 B0 CF 52 57 C4 FF D8 9D 0C 79 B7 68 5C 44 B4 32 6F F0 E8 0F 01 67 A1 07 70 02 AE 18 04 D1 98 F4 E2 33 9C E2 58 AD 02 60 59 D3 3D 28 3B 0B 23 CF 81 4B 7A C6 15 0F 99 39 C8 D4 2D 80 24 3B 74 5F 10 4C 6A 8C 97 85 FF 67 62 1B FF 4B 15 81 52 62 53 23 F7 CE BF AD B5 CF 32 20 A9 B1 67 74 78 F1 E0 B1 5A 13 AF D1 74 7C 1F 23 7D 9E 64 CA F0 4F 61 9C 2E D3 CF E9 32 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, ProcessId: 6728, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-P8SKN0\exepath

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-22T23:28:56.969686+010020365941Malware Command and Control Activity Detected192.168.2.549704191.91.176.722024TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-22T23:28:59.793713+010028033043Unknown Traffic192.168.2.549705178.237.33.5080TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeAvira: detected
                      Found malware configuration
                      Source: 0.2.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpackMalware Configuration Extractor: Remcos {"Host:Port:Password": ["sostener.duckdns.org:2024:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-P8SKN0", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "registros.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                      Multi AV Scanner detection for submitted file
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeReversingLabs: Detection: 65%
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2025659738.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe PID: 6728, type: MEMORYSTR
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_0043293A
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000000.2025659738.0000000000457000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_34367b0b-1

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2025659738.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe PID: 6728, type: MEMORYSTR

                      Privilege Escalation

                      barindex
                      Contains functionality to bypass UAC (CMSTPLUA)
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00406764 _wcslen,CoGetObject,0_2_00406764
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0044D5E9 FindFirstFileExA,0_2_0044D5E9
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49704 -> 191.91.176.72:2024
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: sostener.duckdns.org
                      Uses dynamic DNS services
                      Source: unknownDNS query: name: sostener.duckdns.org
                      Source: global trafficTCP traffic: 192.168.2.5:49704 -> 191.91.176.72:2024
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                      Source: Joe Sandbox ViewASN Name: ColombiaMovilCO ColombiaMovilCO
                      Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49705 -> 178.237.33.50:80
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_004260F7 recv,0_2_004260F7
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: global trafficDNS traffic detected: DNS query: sostener.duckdns.org
                      Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000003.2075733104.0000000000631000.00000004.00000020.00020000.00000000.sdmp, 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000002.4483120764.00000000005CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000003.2075733104.000000000060F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000002.4483120764.00000000005CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000003.2075733104.0000000000631000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/s

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000000_2_004099E4
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_00409B10
                      Source: Yara matchFile source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2025659738.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe PID: 6728, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2025659738.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe PID: 6728, type: MEMORYSTR

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Contains functionalty to change the wallpaper
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0041BB77 SystemParametersInfoW,0_2_0041BB77

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.2.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.2.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.0.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.0.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.0.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000000.00000000.2025659738.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe PID: 6728, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041ACC1
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,0_2_0041ACED
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004158B9
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0041D0710_2_0041D071
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_004520D20_2_004520D2
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0043D0980_2_0043D098
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_004371500_2_00437150
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_004361AA0_2_004361AA
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_004262540_2_00426254
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_004313770_2_00431377
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0043651C0_2_0043651C
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0041E5DF0_2_0041E5DF
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0044C7390_2_0044C739
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_004367C60_2_004367C6
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_004267CB0_2_004267CB
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0043C9DD0_2_0043C9DD
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00432A490_2_00432A49
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00436A8D0_2_00436A8D
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0043CC0C0_2_0043CC0C
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00436D480_2_00436D48
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00434D220_2_00434D22
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00426E730_2_00426E73
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00440E200_2_00440E20
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0043CE3B0_2_0043CE3B
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00412F450_2_00412F45
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00452F000_2_00452F00
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00426FAD0_2_00426FAD
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: String function: 00401F66 appears 50 times
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: String function: 004020E7 appears 40 times
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: String function: 004338A5 appears 42 times
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: String function: 00433FB0 appears 55 times
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.2.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.2.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.0.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.0.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.0.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000000.00000000.2025659738.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe PID: 6728, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/1@2/2
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00416AB7
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040E219
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041A63F
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].jsonJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-P8SKN0
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: Software\0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: Rmc-P8SKN00_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: Rmc-P8SKN00_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: 0DG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: BG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: BG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: BG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: @CG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: BG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: @CG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: BG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: licence0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: `=G0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: dCG0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: Administrator0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: User0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: del0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: del0_2_0040D767
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCommand line argument: del0_2_0040D767
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeReversingLabs: Detection: 65%
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_004567E0 push eax; ret 0_2_004567FE
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00455EAF push ecx; ret 0_2_00455EC2
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00433FF6 push ecx; ret 0_2_00434009
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00406128 ShellExecuteW,URLDownloadToFileW,0_2_00406128
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Delayed program exit found
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0040E54F Sleep,ExitProcess,0_2_0040E54F
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_004198C2
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeWindow / User API: threadDelayed 7675Jump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeWindow / User API: threadDelayed 2317Jump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeAPI coverage: 9.7 %
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe TID: 6584Thread sleep count: 7675 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe TID: 6584Thread sleep time: -23025000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe TID: 6584Thread sleep count: 2317 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe TID: 6584Thread sleep time: -6951000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0044D5E9 FindFirstFileExA,0_2_0044D5E9
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000002.4483312340.0000000000648000.00000004.00000020.00020000.00000000.sdmp, 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000003.2076013584.0000000000648000.00000004.00000020.00020000.00000000.sdmp, 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000002.4483120764.00000000005CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-47894
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00442554 mov eax, dword ptr fs:[00000030h]0_2_00442554
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0044E92E GetProcessHeap,0_2_0044E92E
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434168
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00433B44
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00433CD7 SetUnhandledExceptionFilter,0_2_00433CD7
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00410F36
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00418754 mouse_event,0_2_00418754
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000002.4483312340.0000000000643000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerzDl
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000002.4483312340.0000000000643000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000002.4483312340.0000000000643000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerND
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000002.4483312340.0000000000643000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager1D!
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000002.4483312340.0000000000643000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagercDW
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000002.4483312340.0000000000643000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerfDX
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000002.4483120764.000000000060F000.00000004.00000020.00020000.00000000.sdmp, 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000002.4483120764.0000000000620000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                      Source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000002.4483312340.0000000000643000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerwDk
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00433E0A cpuid 0_2_00433E0A
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040E679
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_004470AE
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004510BA
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004511E3
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004512EA
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004513B7
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: GetLocaleInfoW,0_2_00447597
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00450A7F
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450CF7
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450D42
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450DDD
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00450E6A
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_00404915 GetLocalTime,CreateEventA,CreateThread,0_2_00404915
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0041A7A2 GetComputerNameExW,GetUserNameW,0_2_0041A7A2
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: 0_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0044800F
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2025659738.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe PID: 6728, type: MEMORYSTR
                      Contains functionality to steal Chrome passwords or cookies
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040B21B
                      Contains functionality to steal Firefox passwords or cookies
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040B335
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: \key3.db0_2_0040B335

                      Remote Access Functionality

                      barindex
                      Detected Remcos RAT
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-P8SKN0Jump to behavior
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2025659738.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe PID: 6728, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeCode function: cmd.exe0_2_00405042

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		12
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts12
                      Command and Scripting Interpreter                      		1
                      Windows Service                      		1
                      Bypass User Account Control                      		2
                      Obfuscated Files or Information                      		111
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol111
                      Input Capture                      		2
                      Encrypted Channel                      		Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts2
                      Service Execution                      		Logon Script (Windows)1
                      Access Token Manipulation                      		1
                      DLL Side-Loading                      		2
                      Credentials In Files                      		1
                      System Service Discovery                      		SMB/Windows Admin Shares3
                      Clipboard Data                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      Windows Service                      		1
                      Bypass User Account Control                      		NTDS2
                      File and Directory Discovery                      		Distributed Component Object ModelInput Capture1
                      Remote Access Software                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                      Process Injection                      		1
                      Masquerading                      		LSA Secrets23
                      System Information Discovery                      		SSHKeylogging2
                      Non-Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials21
                      Security Software Discovery                      		VNCGUI Input Capture22
                      Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Access Token Manipulation                      		DCSync1
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                      Process Injection                      		Proc Filesystem2
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                      System Owner/User Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe66%ReversingLabsWin32.Backdoor.Remcos
                      17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                      17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      sostener.duckdns.org0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      sostener.duckdns.org
                      		191.91.176.72
                      		truetrue
                        		unknown
                        geoplugin.net
                        		178.237.33.50
                        		truefalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://geoplugin.net/json.gpfalse
                            		high
                            sostener.duckdns.orgtrue
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://geoplugin.net/17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000003.2075733104.0000000000631000.00000004.00000020.00020000.00000000.sdmp, 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000002.4483120764.00000000005CE000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://geoplugin.net/s17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000003.2075733104.0000000000631000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://geoplugin.net/json.gp/C17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exefalse
                                  		high
                                  http://geoplugin.net/json.gpSystem3217323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, 00000000.00000002.4483120764.00000000005CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    191.91.176.72
                                    		sostener.duckdns.orgColombia
                                    		27831ColombiaMovilCOtrue
                                    178.237.33.50
                                    		geoplugin.netNetherlands
                                    		8455ATOM86-ASATOM86NLfalse

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1561243
                                    Start date and time:2024-11-22 23:28:05 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 6m 32s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:4
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe
                                    Detection:MAL
                                    Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/1@2/2
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 33
                                    • Number of non-executed functions: 213
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    17:29:30API Interceptor5149513x Sleep call for process: 17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    191.91.176.72173214786538d62370d8419c4e67fb1390e51b3edc777f72d69442d5f67bcb27b6dd851138241.dat-decoded.exeGet hashmaliciousAsyncRATBrowse
                                      178.237.33.50018292540-LetterReguranPPI-20230814215304.PDF.exeGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp
                                      800399031-18.11.2024.pdf.exeGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp
                                      Purchase Inquiry_002.exeGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp
                                      APPENDIX FORM_N#U00b045013-20241120.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      • geoplugin.net/json.gp
                                      wE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                                      • geoplugin.net/json.gp
                                      ORDER AND SPECIFICATIONS.scr.exeGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp
                                      1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp
                                      1732143786cec792bea7f8ce7f818c031173ce52fabd19dde842f74b07fc234dc9f3fa1dcf839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • geoplugin.net/json.gp
                                      seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                      • geoplugin.net/json.gp
                                      pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                      • geoplugin.net/json.gp

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      geoplugin.net018292540-LetterReguranPPI-20230814215304.PDF.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      800399031-18.11.2024.pdf.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      Purchase Inquiry_002.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      APPENDIX FORM_N#U00b045013-20241120.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      • 178.237.33.50
                                      wE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                                      • 178.237.33.50
                                      ORDER AND SPECIFICATIONS.scr.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      1732143786cec792bea7f8ce7f818c031173ce52fabd19dde842f74b07fc234dc9f3fa1dcf839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                      • 178.237.33.50
                                      pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                      • 178.237.33.50

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      ATOM86-ASATOM86NL018292540-LetterReguranPPI-20230814215304.PDF.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      800399031-18.11.2024.pdf.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      Purchase Inquiry_002.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      APPENDIX FORM_N#U00b045013-20241120.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      • 178.237.33.50
                                      wE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                                      • 178.237.33.50
                                      ORDER AND SPECIFICATIONS.scr.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      1732143786cec792bea7f8ce7f818c031173ce52fabd19dde842f74b07fc234dc9f3fa1dcf839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                      • 178.237.33.50
                                      pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                      • 178.237.33.50
                                      ColombiaMovilCOsparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                      • 191.93.32.228
                                      173214786538d62370d8419c4e67fb1390e51b3edc777f72d69442d5f67bcb27b6dd851138241.dat-decoded.exeGet hashmaliciousAsyncRATBrowse
                                      • 191.91.176.72
                                      PNSBt.jsGet hashmaliciousAsyncRATBrowse
                                      • 191.93.117.49
                                      LETA_pdf.vbsGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                      • 181.71.217.114
                                      aNZZ9YFI6g.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                      • 191.93.117.49
                                      spc.elfGet hashmaliciousMiraiBrowse
                                      • 177.254.129.210
                                      xd.spc.elfGet hashmaliciousMiraiBrowse
                                      • 181.205.208.130
                                      xd.m68k.elfGet hashmaliciousMiraiBrowse
                                      • 181.71.150.123
                                      xd.arm.elfGet hashmaliciousMiraiBrowse
                                      • 191.91.160.75
                                      botnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                                      • 181.69.86.207

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                      Download File
                                      Process:C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe
                                      File Type:JSON data
                                      Category:dropped
                                      Size (bytes):962
                                      Entropy (8bit):5.015105568788186
                                      Encrypted:false
                                      SSDEEP:12:tkluQ+nd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qluQydRNuKyGX85jvXhNlT3/7AcV9Wro
                                      MD5:8937B63DC0B37E949F38E7874886D999
                                      SHA1:62FD17BF5A029DDD3A5CFB4F5FC9FE83A346FFFC
                                      SHA-256:AB2F31E4512913B1E7F7ACAB4B72D6E741C960D0A482F09EA6F9D96FED842A66
                                      SHA-512:077176C51DC10F155EE08326270C1FE3E6CF36C7ABA75611BDB3CCDA2526D6F0360DBC2FBF4A9963051F0F01658017389FD898980ACF7BB3B29B287F188EE7B9
                                      Malicious:false
                                      Reputation:low
                                      Preview:{. "geoplugin_request":"8.46.123.75",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):6.586606330148629
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe
                                      File size:493'056 bytes
                                      MD5:efe072b9e2cfab94dffb3e877a857c7c
                                      SHA1:5612312c9f8a3bcd24472e6c04260b6511aaeb58
                                      SHA256:79e064130e4eca877a7724b2440575c365ecbecf2174c100ce9bdf10d6c73e6d
                                      SHA512:0f2cac23df20bcae69107145c6409e87cea5b9d8e0e4f97335771faa7b526d7c13f4c01cafdbfcd767d5aaee17beabbbe3dbc42e1c7399cb34410f3c82901832
                                      SSDEEP:12288:ruD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDS++DY:u09AfNIEYsunZvZ19ZNs
                                      TLSH:88A4BF01B6D2C072D57625300D26E775DEBDBD212835897BB3DA1D67FE30180E63AAB2
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H.

                                      File Icon

                                      Icon Hash:95694d05214c1b33

                                      Static PE Info

                                      General

                                      Entrypoint:0x433b3a
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                      Time Stamp:0x6724916B [Fri Nov 1 08:29:31 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:e77512f955eaf60ccff45e02d69234de

                                      Entrypoint Preview

                                      Instruction
                                      call 00007F87C87D0FC3h
                                      jmp 00007F87C87D091Fh
                                      push ebp
                                      mov ebp, esp
                                      sub esp, 00000324h
                                      push ebx
                                      push 00000017h
                                      call 00007F87C87F2DF9h
                                      test eax, eax
                                      je 00007F87C87D0AA7h
                                      mov ecx, dword ptr [ebp+08h]
                                      int 29h
                                      push 00000003h
                                      call 00007F87C87D0C64h
                                      mov dword ptr [esp], 000002CCh
                                      lea eax, dword ptr [ebp-00000324h]
                                      push 00000000h
                                      push eax
                                      call 00007F87C87D2F7Bh
                                      add esp, 0Ch
                                      mov dword ptr [ebp-00000274h], eax
                                      mov dword ptr [ebp-00000278h], ecx
                                      mov dword ptr [ebp-0000027Ch], edx
                                      mov dword ptr [ebp-00000280h], ebx
                                      mov dword ptr [ebp-00000284h], esi
                                      mov dword ptr [ebp-00000288h], edi
                                      mov word ptr [ebp-0000025Ch], ss
                                      mov word ptr [ebp-00000268h], cs
                                      mov word ptr [ebp-0000028Ch], ds
                                      mov word ptr [ebp-00000290h], es
                                      mov word ptr [ebp-00000294h], fs
                                      mov word ptr [ebp-00000298h], gs
                                      pushfd
                                      pop dword ptr [ebp-00000264h]
                                      mov eax, dword ptr [ebp+04h]
                                      mov dword ptr [ebp-0000026Ch], eax
                                      lea eax, dword ptr [ebp+04h]
                                      mov dword ptr [ebp-00000260h], eax
                                      mov dword ptr [ebp-00000324h], 00010001h
                                      mov eax, dword ptr [eax-04h]
                                      push 00000050h
                                      mov dword ptr [ebp-00000270h], eax
                                      lea eax, dword ptr [ebp-58h]
                                      push 00000000h
                                      push eax
                                      call 00007F87C87D2EF1h

                                      Rich Headers

                                      Programming Language:
                                      • [C++] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x6e0200x104.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x4b74.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x7b0000x3b80.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x6c5100x38.rdata
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x6c5e80x18.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6c5480x40.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x570000x4f4.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x55f1d0x5600030cda225e02a0d4dab478a6c7c094860False0.5738610555959303data6.62127843313247IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x570000x18b000x18c009800e1a5325bb58aa054e318c8bb055aFalse0.49812578914141414OpenPGP Secret Key Version 65.758930104385571IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x700000x5d6c0xe0006414e748130e7e668ba2ba172d63448False0.22684151785714285data3.093339598098017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x760000x4b740x4c000f64bb12a53dfa41434ad96917c1ea08False0.2856702302631579data3.9918709037150055IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x7b0000x3b800x3c003a880743591ae3410d0dc26d7322ddd0False0.7569661458333333data6.695050823503309IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x7618c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                      RT_ICON0x765f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                      RT_ICON0x76f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                      RT_ICON0x780240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                      RT_RCDATA0x7a5cc0x565data1.007965242577842
                                      RT_GROUP_ICON0x7ab340x3edataEnglishUnited States0.8064516129032258

                                      Imports

                                      DLLImport
                                      KERNEL32.dllExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, SetConsoleOutputCP, FormatMessageA, FindFirstFileA, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, HeapReAlloc, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, GetModuleHandleExW, MoveFileExW, LoadLibraryExW, RaiseException, RtlUnwind, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, MultiByteToWideChar, DecodePointer, EncodePointer, TlsFree, TlsSetValue, GetFileSize, TerminateThread, GetLastError, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, CreateDirectoryW, GetLogicalDriveStringsA, DeleteFileW, FindNextFileA, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, GetProcAddress, CreateMutexA, GetCurrentProcess, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, FindNextVolumeW, TlsGetValue, TlsAlloc, SwitchToThread, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, InitializeCriticalSectionAndSpinCount, SetEndOfFile
                                      USER32.dllDefWindowProcA, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CreateWindowExA, SendInput, EnumDisplaySettingsW, mouse_event, MapVirtualKeyA, TrackPopupMenu, CreatePopupMenu, AppendMenuA, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetIconInfo, GetSystemMetrics, CloseWindow, DrawIcon
                                      GDI32.dllBitBlt, CreateCompatibleBitmap, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA, SelectObject
                                      ADVAPI32.dllLookupPrivilegeValueA, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, RegDeleteKeyA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW
                                      SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                      ole32.dllCoInitializeEx, CoGetObject, CoUninitialize
                                      SHLWAPI.dllStrToIntA, PathFileExistsW, PathFileExistsA
                                      WINMM.dllmciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInStart, waveInUnprepareHeader, waveInOpen, waveInAddBuffer, waveInPrepareHeader, PlaySoundW
                                      WS2_32.dllsend, WSAStartup, socket, connect, WSAGetLastError, recv, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, gethostbyname
                                      urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                      gdiplus.dllGdipAlloc, GdiplusStartup, GdipGetImageEncoders, GdipLoadImageFromStream, GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipCloneImage
                                      WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-11-22T23:28:56.969686+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549704191.91.176.722024TCP
                                      2024-11-22T23:28:59.793713+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549705178.237.33.5080TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Nov 22, 2024 23:28:55.411456108 CET497042024192.168.2.5191.91.176.72
                                      Nov 22, 2024 23:28:55.531450033 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:28:55.531554937 CET497042024192.168.2.5191.91.176.72
                                      Nov 22, 2024 23:28:55.538963079 CET497042024192.168.2.5191.91.176.72
                                      Nov 22, 2024 23:28:55.658631086 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:28:56.916882038 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:28:56.969686031 CET497042024192.168.2.5191.91.176.72
                                      Nov 22, 2024 23:28:57.171066999 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:28:57.219691992 CET497042024192.168.2.5191.91.176.72
                                      Nov 22, 2024 23:28:57.335407019 CET497042024192.168.2.5191.91.176.72
                                      Nov 22, 2024 23:28:57.455996990 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:28:57.456089973 CET497042024192.168.2.5191.91.176.72
                                      Nov 22, 2024 23:28:57.576010942 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:28:57.900460005 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:28:57.905565023 CET497042024192.168.2.5191.91.176.72
                                      Nov 22, 2024 23:28:58.028568029 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:28:58.110665083 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:28:58.157146931 CET497042024192.168.2.5191.91.176.72
                                      Nov 22, 2024 23:28:58.337646008 CET4970580192.168.2.5178.237.33.50
                                      Nov 22, 2024 23:28:58.458394051 CET8049705178.237.33.50192.168.2.5
                                      Nov 22, 2024 23:28:58.458468914 CET4970580192.168.2.5178.237.33.50
                                      Nov 22, 2024 23:28:58.458646059 CET4970580192.168.2.5178.237.33.50
                                      Nov 22, 2024 23:28:58.578268051 CET8049705178.237.33.50192.168.2.5
                                      Nov 22, 2024 23:28:59.793611050 CET8049705178.237.33.50192.168.2.5
                                      Nov 22, 2024 23:28:59.793713093 CET4970580192.168.2.5178.237.33.50
                                      Nov 22, 2024 23:29:00.053002119 CET497042024192.168.2.5191.91.176.72
                                      Nov 22, 2024 23:29:00.172919035 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:29:00.792804003 CET8049705178.237.33.50192.168.2.5
                                      Nov 22, 2024 23:29:00.792905092 CET4970580192.168.2.5178.237.33.50
                                      Nov 22, 2024 23:29:18.984354019 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:29:18.986191988 CET497042024192.168.2.5191.91.176.72
                                      Nov 22, 2024 23:29:19.105690956 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:29:49.726882935 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:29:49.728634119 CET497042024192.168.2.5191.91.176.72
                                      Nov 22, 2024 23:29:49.848329067 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:30:20.057037115 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:30:20.072686911 CET497042024192.168.2.5191.91.176.72
                                      Nov 22, 2024 23:30:20.193568945 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:30:48.141608953 CET4970580192.168.2.5178.237.33.50
                                      Nov 22, 2024 23:30:48.563365936 CET4970580192.168.2.5178.237.33.50
                                      Nov 22, 2024 23:30:49.172703028 CET4970580192.168.2.5178.237.33.50
                                      Nov 22, 2024 23:30:50.375917912 CET4970580192.168.2.5178.237.33.50
                                      Nov 22, 2024 23:30:50.570080996 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:30:50.572129011 CET497042024192.168.2.5191.91.176.72
                                      Nov 22, 2024 23:30:50.691709042 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:30:52.875888109 CET4970580192.168.2.5178.237.33.50
                                      Nov 22, 2024 23:30:57.766473055 CET4970580192.168.2.5178.237.33.50
                                      Nov 22, 2024 23:31:07.375806093 CET4970580192.168.2.5178.237.33.50
                                      Nov 22, 2024 23:31:20.991797924 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:31:20.993524075 CET497042024192.168.2.5191.91.176.72
                                      Nov 22, 2024 23:31:21.113121033 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:31:51.730650902 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:31:51.737359047 CET497042024192.168.2.5191.91.176.72
                                      Nov 22, 2024 23:31:51.856998920 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:32:22.156032085 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:32:22.157480001 CET497042024192.168.2.5191.91.176.72
                                      Nov 22, 2024 23:32:22.276983976 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:32:52.819827080 CET202449704191.91.176.72192.168.2.5
                                      Nov 22, 2024 23:32:52.821635962 CET497042024192.168.2.5191.91.176.72
                                      Nov 22, 2024 23:32:52.941200972 CET202449704191.91.176.72192.168.2.5

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Nov 22, 2024 23:28:55.068756104 CET6423053192.168.2.51.1.1.1
                                      Nov 22, 2024 23:28:55.407757044 CET53642301.1.1.1192.168.2.5
                                      Nov 22, 2024 23:28:58.156333923 CET5471153192.168.2.51.1.1.1
                                      Nov 22, 2024 23:28:58.333862066 CET53547111.1.1.1192.168.2.5

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Nov 22, 2024 23:28:55.068756104 CET192.168.2.51.1.1.10xc119Standard query (0)sostener.duckdns.orgA (IP address)IN (0x0001)false
                                      Nov 22, 2024 23:28:58.156333923 CET192.168.2.51.1.1.10x8ef8Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Nov 22, 2024 23:28:55.407757044 CET1.1.1.1192.168.2.50xc119No error (0)sostener.duckdns.org191.91.176.72A (IP address)IN (0x0001)false
                                      Nov 22, 2024 23:28:58.333862066 CET1.1.1.1192.168.2.50x8ef8No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • geoplugin.net

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.549705178.237.33.50806728C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe
                                      TimestampBytes transferredDirectionData
                                      Nov 22, 2024 23:28:58.458646059 CET71OUTGET /json.gp HTTP/1.1
                                      Host: geoplugin.net
                                      Cache-Control: no-cache
                                      Nov 22, 2024 23:28:59.793611050 CET1170INHTTP/1.1 200 OK
                                      date: Fri, 22 Nov 2024 22:28:59 GMT
                                      server: Apache
                                      content-length: 962
                                      content-type: application/json; charset=utf-8
                                      cache-control: public, max-age=300
                                      access-control-allow-origin: *
                                      Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                      Data Ascii: { "geoplugin_request":"8.46.123.75", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:17:28:54
                                      Start date:22/11/2024
                                      Path:C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe"
                                      Imagebase:0x400000
                                      File size:493'056 bytes
                                      MD5 hash:EFE072B9E2CFAB94DFFB3E877A857C7C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.2025659738.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.2025659738.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.2025659738.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.2025659738.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                      Reputation:low
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:4%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:23%
                                        Total number of Nodes:1260
                                        Total number of Limit Nodes:64
                                        execution_graph 46330 41d4d0 46332 41d4e6 ctype ___scrt_fastfail 46330->46332 46331 41d6e3 46336 41d734 46331->46336 46346 41d071 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 46331->46346 46332->46331 46334 431f99 21 API calls 46332->46334 46338 41d696 ___scrt_fastfail 46334->46338 46335 41d6f4 46335->46336 46337 41d760 46335->46337 46347 431f99 46335->46347 46337->46336 46355 41d474 21 API calls ___scrt_fastfail 46337->46355 46338->46336 46340 431f99 21 API calls 46338->46340 46344 41d6be ___scrt_fastfail 46340->46344 46342 41d72d ___scrt_fastfail 46342->46336 46352 43264f 46342->46352 46344->46336 46345 431f99 21 API calls 46344->46345 46345->46331 46346->46335 46348 431fa3 46347->46348 46349 431fa7 46347->46349 46348->46342 46356 43a88c 46349->46356 46365 43256f 46352->46365 46354 432657 46354->46337 46355->46336 46362 446aff _strftime 46356->46362 46357 446b3d 46364 445354 20 API calls _abort 46357->46364 46358 446b28 RtlAllocateHeap 46360 431fac 46358->46360 46358->46362 46360->46342 46362->46357 46362->46358 46363 442200 7 API calls 2 library calls 46362->46363 46363->46362 46364->46360 46366 432588 46365->46366 46370 43257e 46365->46370 46367 431f99 21 API calls 46366->46367 46366->46370 46368 4325a9 46367->46368 46368->46370 46371 43293a CryptAcquireContextA 46368->46371 46370->46354 46372 432956 46371->46372 46373 43295b CryptGenRandom 46371->46373 46372->46370 46373->46372 46374 432970 CryptReleaseContext 46373->46374 46374->46372 46375 426030 46380 4260f7 recv 46375->46380 46381 426091 46386 42610e send 46381->46386 46387 425e56 46388 425e6b 46387->46388 46394 425f0b 46387->46394 46389 425f77 46388->46389 46390 425f9e 46388->46390 46393 425f5a 46388->46393 46388->46394 46395 425eb9 46388->46395 46397 425eee 46388->46397 46402 425f25 46388->46402 46415 424354 48 API calls ctype 46388->46415 46389->46390 46389->46394 46403 424f78 46389->46403 46390->46394 46420 4255c7 28 API calls 46390->46420 46393->46389 46419 424b7b 21 API calls 46393->46419 46395->46394 46395->46397 46416 41f075 52 API calls 46395->46416 46397->46394 46397->46402 46417 424354 48 API calls ctype 46397->46417 46402->46393 46402->46394 46418 41f075 52 API calls 46402->46418 46404 424f97 ___scrt_fastfail 46403->46404 46406 424fa6 46404->46406 46410 424fcb 46404->46410 46421 41e097 21 API calls 46404->46421 46406->46410 46414 424fab 46406->46414 46422 41fad4 45 API calls 46406->46422 46409 424fb4 46409->46410 46424 424185 21 API calls 2 library calls 46409->46424 46410->46390 46412 42504e 46412->46410 46413 431f99 21 API calls 46412->46413 46413->46414 46414->46409 46414->46410 46423 41cf6e 48 API calls 46414->46423 46415->46395 46416->46395 46417->46402 46418->46402 46419->46389 46420->46394 46421->46406 46422->46412 46423->46409 46424->46410 46425 4429fc 46426 442a05 46425->46426 46427 442a1e 46425->46427 46428 442a0d 46426->46428 46432 442a84 46426->46432 46430 442a15 46430->46428 46443 442d51 22 API calls 2 library calls 46430->46443 46433 442a90 46432->46433 46434 442a8d 46432->46434 46444 44e1be GetEnvironmentStringsW 46433->46444 46434->46430 46437 442a9d 46439 446ac5 _free 20 API calls 46437->46439 46440 442ad2 46439->46440 46440->46430 46441 442aa8 46452 446ac5 46441->46452 46443->46427 46445 442a97 46444->46445 46446 44e1d2 46444->46446 46445->46437 46451 442ba9 26 API calls 4 library calls 46445->46451 46458 446aff 46446->46458 46448 44e1e6 ctype 46449 446ac5 _free 20 API calls 46448->46449 46450 44e200 FreeEnvironmentStringsW 46449->46450 46450->46445 46451->46441 46453 446ad0 RtlFreeHeap 46452->46453 46454 446af9 _free 46452->46454 46453->46454 46455 446ae5 46453->46455 46454->46437 46467 445354 20 API calls _abort 46455->46467 46457 446aeb GetLastError 46457->46454 46459 446b3d 46458->46459 46464 446b0d _strftime 46458->46464 46466 445354 20 API calls _abort 46459->46466 46460 446b28 RtlAllocateHeap 46462 446b3b 46460->46462 46460->46464 46462->46448 46464->46459 46464->46460 46465 442200 7 API calls 2 library calls 46464->46465 46465->46464 46466->46462 46467->46457 46468 43a998 46470 43a9a4 _swprintf ___BuildCatchObject 46468->46470 46469 43a9b2 46484 445354 20 API calls _abort 46469->46484 46470->46469 46472 43a9dc 46470->46472 46479 444acc EnterCriticalSection 46472->46479 46474 43a9b7 __wsopen_s 46475 43a9e7 46480 43aa88 46475->46480 46479->46475 46481 43aa96 46480->46481 46483 43a9f2 46481->46483 46486 448416 36 API calls 2 library calls 46481->46486 46485 43aa0f LeaveCriticalSection std::_Lockit::~_Lockit 46483->46485 46484->46474 46485->46474 46486->46481 46487 414dba 46502 41a51b 46487->46502 46489 414dc3 46512 401fbd 46489->46512 46493 414dde 46494 4161f2 46493->46494 46517 401eea 46493->46517 46521 401d8c 46494->46521 46497 4161fb 46498 401eea 11 API calls 46497->46498 46499 416207 46498->46499 46500 401eea 11 API calls 46499->46500 46501 416213 46500->46501 46503 41a529 46502->46503 46504 43a88c ___crtLCMapStringA 21 API calls 46503->46504 46505 41a533 InternetOpenW InternetOpenUrlW 46504->46505 46506 41a55c InternetReadFile 46505->46506 46507 41a57f 46506->46507 46507->46506 46509 41a5ac InternetCloseHandle InternetCloseHandle 46507->46509 46511 401eea 11 API calls 46507->46511 46527 401f86 46507->46527 46510 41a5be 46509->46510 46510->46489 46511->46507 46513 401fcc 46512->46513 46536 402501 46513->46536 46515 401fea 46516 404468 61 API calls ctype 46515->46516 46516->46493 46518 4021b9 46517->46518 46519 4021e8 46518->46519 46541 40262e 11 API calls _Deallocate 46518->46541 46519->46494 46523 40200a 46521->46523 46522 40203a 46522->46497 46523->46522 46542 402654 11 API calls 46523->46542 46525 40202b 46543 4026ba 11 API calls _Deallocate 46525->46543 46528 401f8e 46527->46528 46531 402325 46528->46531 46530 401fa4 46530->46507 46532 40232f 46531->46532 46534 40233a 46532->46534 46535 40294a 28 API calls 46532->46535 46534->46530 46535->46534 46537 40250d 46536->46537 46538 40252b 46537->46538 46540 40261a 28 API calls 46537->46540 46538->46515 46540->46538 46541->46519 46542->46525 46543->46522 46544 42ea1e 46545 42ea29 46544->46545 46546 42ea3d 46545->46546 46548 431fc3 46545->46548 46549 431fd2 46548->46549 46550 431fce 46548->46550 46552 43fcda 46549->46552 46550->46546 46553 44b9be 46552->46553 46554 44b9d6 46553->46554 46555 44b9cb 46553->46555 46556 44b9de 46554->46556 46563 44b9e7 _strftime 46554->46563 46557 446aff _strftime 21 API calls 46555->46557 46558 446ac5 _free 20 API calls 46556->46558 46561 44b9d3 46557->46561 46558->46561 46559 44ba11 HeapReAlloc 46559->46561 46559->46563 46560 44b9ec 46565 445354 20 API calls _abort 46560->46565 46561->46550 46563->46559 46563->46560 46566 442200 7 API calls 2 library calls 46563->46566 46565->46561 46566->46563 46567 402bcc 46568 402bd7 46567->46568 46569 402bdf 46567->46569 46585 403315 28 API calls _Deallocate 46568->46585 46571 402beb 46569->46571 46575 4015d3 46569->46575 46572 402bdd 46577 43360d 46575->46577 46576 43a88c ___crtLCMapStringA 21 API calls 46576->46577 46577->46576 46578 402be9 46577->46578 46580 43362e std::_Facet_Register 46577->46580 46586 442200 7 API calls 2 library calls 46577->46586 46581 433dec std::_Facet_Register 46580->46581 46587 437bd7 RaiseException 46580->46587 46588 437bd7 RaiseException 46581->46588 46584 433e09 46585->46572 46586->46577 46587->46581 46588->46584 46589 4339be 46590 4339ca ___BuildCatchObject 46589->46590 46621 4336b3 46590->46621 46592 4339d1 46593 433b24 46592->46593 46596 4339fb 46592->46596 46921 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46593->46921 46595 433b2b 46922 4426be 28 API calls _abort 46595->46922 46608 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46596->46608 46915 4434d1 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 46596->46915 46598 433b31 46923 442670 28 API calls _abort 46598->46923 46601 433b39 46602 433a14 46603 433a1a 46602->46603 46916 443475 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 46602->46916 46605 433a9b 46632 433c5e 46605->46632 46608->46605 46917 43edf4 35 API calls 3 library calls 46608->46917 46615 433abd 46615->46595 46616 433ac1 46615->46616 46617 433aca 46616->46617 46919 442661 28 API calls _abort 46616->46919 46920 433842 13 API calls 2 library calls 46617->46920 46620 433ad2 46620->46603 46622 4336bc 46621->46622 46924 433e0a IsProcessorFeaturePresent 46622->46924 46624 4336c8 46925 4379ee 10 API calls 3 library calls 46624->46925 46626 4336cd 46627 4336d1 46626->46627 46926 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46626->46926 46627->46592 46629 4336da 46630 4336e8 46629->46630 46927 437a17 8 API calls 3 library calls 46629->46927 46630->46592 46928 436050 46632->46928 46635 433aa1 46636 443422 46635->46636 46930 44ddc9 46636->46930 46638 44342b 46640 433aaa 46638->46640 46934 44e0d3 35 API calls 46638->46934 46641 40d767 46640->46641 46936 41bce3 LoadLibraryA GetProcAddress 46641->46936 46643 40d783 GetModuleFileNameW 46941 40e168 46643->46941 46645 40d79f 46646 401fbd 28 API calls 46645->46646 46647 40d7ae 46646->46647 46648 401fbd 28 API calls 46647->46648 46649 40d7bd 46648->46649 46956 41afc3 46649->46956 46653 40d7cf 46654 401d8c 11 API calls 46653->46654 46655 40d7d8 46654->46655 46656 40d835 46655->46656 46657 40d7eb 46655->46657 46981 401d64 46656->46981 47235 40e986 111 API calls 46657->47235 46660 40d845 46663 401d64 28 API calls 46660->46663 46661 40d7fd 46662 401d64 28 API calls 46661->46662 46665 40d809 46662->46665 46664 40d864 46663->46664 46986 404cbf 46664->46986 47236 40e937 65 API calls 46665->47236 46667 40d873 46990 405ce6 46667->46990 46670 40d87f 46993 401eef 46670->46993 46671 40d824 47237 40e155 65 API calls 46671->47237 46674 40d88b 46675 401eea 11 API calls 46674->46675 46676 40d894 46675->46676 46678 401eea 11 API calls 46676->46678 46677 401eea 11 API calls 46679 40dc9f 46677->46679 46680 40d89d 46678->46680 46918 433c94 GetModuleHandleW 46679->46918 46681 401d64 28 API calls 46680->46681 46682 40d8a6 46681->46682 46997 401ebd 46682->46997 46684 40d8b1 46685 401d64 28 API calls 46684->46685 46686 40d8ca 46685->46686 46687 401d64 28 API calls 46686->46687 46689 40d8e5 46687->46689 46688 40d946 46690 401d64 28 API calls 46688->46690 46705 40e134 46688->46705 46689->46688 47238 4085b4 46689->47238 46696 40d95d 46690->46696 46692 40d912 46693 401eef 11 API calls 46692->46693 46694 40d91e 46693->46694 46697 401eea 11 API calls 46694->46697 46695 40d9a4 47001 40bed7 46695->47001 46696->46695 46702 4124b7 3 API calls 46696->46702 46699 40d927 46697->46699 47242 4124b7 RegOpenKeyExA 46699->47242 46700 40d9aa 46701 40d82d 46700->46701 47004 41a463 46700->47004 46701->46677 46707 40d988 46702->46707 47320 412902 30 API calls 46705->47320 46706 40d9c5 46708 40da18 46706->46708 47021 40697b 46706->47021 46707->46695 47245 412902 30 API calls 46707->47245 46710 401d64 28 API calls 46708->46710 46713 40da21 46710->46713 46722 40da32 46713->46722 46723 40da2d 46713->46723 46715 40e14a 47321 4112b5 64 API calls ___scrt_fastfail 46715->47321 46716 40d9e4 47246 40699d 30 API calls 46716->47246 46717 40d9ee 46721 401d64 28 API calls 46717->46721 46730 40d9f7 46721->46730 46727 401d64 28 API calls 46722->46727 47249 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46723->47249 46724 40d9e9 47247 4064d0 97 API calls 46724->47247 46728 40da3b 46727->46728 47025 41ae08 46728->47025 46730->46708 46733 40da13 46730->46733 46731 40da46 47029 401e18 46731->47029 47248 4064d0 97 API calls 46733->47248 46734 40da51 47033 401e13 46734->47033 46737 40da5a 46738 401d64 28 API calls 46737->46738 46739 40da63 46738->46739 46740 401d64 28 API calls 46739->46740 46741 40da7d 46740->46741 46742 401d64 28 API calls 46741->46742 46743 40da97 46742->46743 46744 401d64 28 API calls 46743->46744 46746 40dab0 46744->46746 46745 40db1d 46748 40db2c 46745->46748 46753 40dcaa ___scrt_fastfail 46745->46753 46746->46745 46747 401d64 28 API calls 46746->46747 46752 40dac5 _wcslen 46747->46752 46749 40db35 46748->46749 46777 40dbb1 ___scrt_fastfail 46748->46777 46750 401d64 28 API calls 46749->46750 46751 40db3e 46750->46751 46754 401d64 28 API calls 46751->46754 46752->46745 46755 401d64 28 API calls 46752->46755 47309 41265d RegOpenKeyExA 46753->47309 46756 40db50 46754->46756 46757 40dae0 46755->46757 46759 401d64 28 API calls 46756->46759 46761 401d64 28 API calls 46757->46761 46760 40db62 46759->46760 46764 401d64 28 API calls 46760->46764 46762 40daf5 46761->46762 47250 40c89e 46762->47250 46763 40dcef 46765 401d64 28 API calls 46763->46765 46766 40db8b 46764->46766 46767 40dd16 46765->46767 46772 401d64 28 API calls 46766->46772 47047 401f66 46767->47047 46770 401e18 11 API calls 46771 40db14 46770->46771 46774 401e13 11 API calls 46771->46774 46775 40db9c 46772->46775 46774->46745 47307 40bc67 46 API calls _wcslen 46775->47307 46776 40dd25 47051 4126d2 RegCreateKeyA 46776->47051 47037 4128a2 46777->47037 46782 40dc45 ctype 46786 401d64 28 API calls 46782->46786 46783 40dbac 46783->46777 46784 401d64 28 API calls 46785 40dd47 46784->46785 47057 43a5e7 46785->47057 46787 40dc5c 46786->46787 46787->46763 46791 40dc70 46787->46791 46790 40dd5e 47312 41beb0 87 API calls ___scrt_fastfail 46790->47312 46793 401d64 28 API calls 46791->46793 46792 40dd81 46796 401f66 28 API calls 46792->46796 46794 40dc7e 46793->46794 46797 41ae08 28 API calls 46794->46797 46799 40dd96 46796->46799 46800 40dc87 46797->46800 46798 40dd65 CreateThread 46798->46792 47899 41c96f 10 API calls 46798->47899 46801 401f66 28 API calls 46799->46801 47308 40e219 112 API calls 46800->47308 46803 40dda5 46801->46803 47061 41a686 46803->47061 46804 40dc8c 46804->46763 46806 40dc93 46804->46806 46806->46701 46808 401d64 28 API calls 46809 40ddb6 46808->46809 46810 401d64 28 API calls 46809->46810 46811 40ddcb 46810->46811 46812 401d64 28 API calls 46811->46812 46813 40ddeb 46812->46813 46814 43a5e7 _strftime 39 API calls 46813->46814 46815 40ddf8 46814->46815 46816 401d64 28 API calls 46815->46816 46817 40de03 46816->46817 46818 401d64 28 API calls 46817->46818 46819 40de14 46818->46819 46820 401d64 28 API calls 46819->46820 46821 40de29 46820->46821 46822 401d64 28 API calls 46821->46822 46823 40de3a 46822->46823 46824 40de41 StrToIntA 46823->46824 47085 409517 46824->47085 46827 401d64 28 API calls 46828 40de5c 46827->46828 46829 40dea1 46828->46829 46830 40de68 46828->46830 46832 401d64 28 API calls 46829->46832 47313 43360d 22 API calls 3 library calls 46830->47313 46834 40deb1 46832->46834 46833 40de71 46835 401d64 28 API calls 46833->46835 46838 40def9 46834->46838 46839 40debd 46834->46839 46836 40de84 46835->46836 46837 40de8b CreateThread 46836->46837 46837->46829 47896 419128 109 API calls 2 library calls 46837->47896 46841 401d64 28 API calls 46838->46841 47314 43360d 22 API calls 3 library calls 46839->47314 46842 40df02 46841->46842 46846 40df6c 46842->46846 46847 40df0e 46842->46847 46843 40dec6 46844 401d64 28 API calls 46843->46844 46845 40ded8 46844->46845 46850 40dedf CreateThread 46845->46850 46848 401d64 28 API calls 46846->46848 46849 401d64 28 API calls 46847->46849 46851 40df75 46848->46851 46852 40df1e 46849->46852 46850->46838 47895 419128 109 API calls 2 library calls 46850->47895 46853 40df81 46851->46853 46854 40dfba 46851->46854 46855 401d64 28 API calls 46852->46855 46857 401d64 28 API calls 46853->46857 47110 41a7a2 GetComputerNameExW GetUserNameW 46854->47110 46858 40df33 46855->46858 46860 40df8a 46857->46860 47315 40c854 32 API calls 46858->47315 46865 401d64 28 API calls 46860->46865 46861 401e18 11 API calls 46862 40dfce 46861->46862 46864 401e13 11 API calls 46862->46864 46867 40dfd7 46864->46867 46868 40df9f 46865->46868 46866 40df46 46869 401e18 11 API calls 46866->46869 46870 40dfe0 SetProcessDEPPolicy 46867->46870 46871 40dfe3 CreateThread 46867->46871 46876 43a5e7 _strftime 39 API calls 46868->46876 46872 40df52 46869->46872 46870->46871 46874 40e004 46871->46874 46875 40dff8 CreateThread 46871->46875 47868 40e54f 46871->47868 46873 401e13 11 API calls 46872->46873 46877 40df5b CreateThread 46873->46877 46878 40e00d CreateThread 46874->46878 46881 40e019 46874->46881 46875->46874 47897 410f36 139 API calls 46875->47897 46879 40dfac 46876->46879 46877->46846 47898 40196b 49 API calls _strftime 46877->47898 46878->46881 47900 411524 38 API calls ___scrt_fastfail 46878->47900 47316 40b95c 7 API calls 46879->47316 46880 40e073 47121 41246e RegOpenKeyExA 46880->47121 46881->46880 46883 401f66 28 API calls 46881->46883 46884 40e046 46883->46884 47317 404c9e 28 API calls 46884->47317 46888 40e053 46890 401f66 28 API calls 46888->46890 46889 40e12a 47133 40cbac 46889->47133 46892 40e062 46890->46892 46891 41ae08 28 API calls 46894 40e0a4 46891->46894 46895 41a686 79 API calls 46892->46895 47124 412584 RegOpenKeyExW 46894->47124 46897 40e067 46895->46897 46899 401eea 11 API calls 46897->46899 46899->46880 46902 401e13 11 API calls 46905 40e0c5 46902->46905 46903 40e0ed DeleteFileW 46904 40e0f4 46903->46904 46903->46905 46906 41ae08 28 API calls 46904->46906 46905->46903 46905->46904 46907 40e0db Sleep 46905->46907 46908 40e104 46906->46908 47318 401e07 46907->47318 47129 41297a RegOpenKeyExW 46908->47129 46911 40e117 46912 401e13 11 API calls 46911->46912 46913 40e121 46912->46913 46914 401e13 11 API calls 46913->46914 46914->46889 46915->46602 46916->46608 46917->46605 46918->46615 46919->46617 46920->46620 46921->46595 46922->46598 46923->46601 46924->46624 46925->46626 46926->46629 46927->46627 46929 433c71 GetStartupInfoW 46928->46929 46929->46635 46931 44dddb 46930->46931 46932 44ddd2 46930->46932 46931->46638 46935 44dcc8 48 API calls 4 library calls 46932->46935 46934->46638 46935->46931 46937 41bd22 LoadLibraryA GetProcAddress 46936->46937 46938 41bd12 GetModuleHandleA GetProcAddress 46936->46938 46939 41bd4b 32 API calls 46937->46939 46940 41bd3b LoadLibraryA GetProcAddress 46937->46940 46938->46937 46939->46643 46940->46939 47322 41a63f FindResourceA 46941->47322 46944 43a88c ___crtLCMapStringA 21 API calls 46945 40e192 ctype 46944->46945 46946 401f86 28 API calls 46945->46946 46947 40e1ad 46946->46947 46948 401eef 11 API calls 46947->46948 46949 40e1b8 46948->46949 46950 401eea 11 API calls 46949->46950 46951 40e1c1 46950->46951 46952 43a88c ___crtLCMapStringA 21 API calls 46951->46952 46953 40e1d2 ctype 46952->46953 47325 406052 46953->47325 46955 40e205 46955->46645 46976 41afd6 46956->46976 46957 41b046 46958 401eea 11 API calls 46957->46958 46959 41b078 46958->46959 46960 401eea 11 API calls 46959->46960 46962 41b080 46960->46962 46961 41b048 46963 403b60 28 API calls 46961->46963 46965 401eea 11 API calls 46962->46965 46966 41b054 46963->46966 46967 40d7c6 46965->46967 46968 401eef 11 API calls 46966->46968 46977 40e8bd 46967->46977 46970 41b05d 46968->46970 46969 401eef 11 API calls 46969->46976 46971 401eea 11 API calls 46970->46971 46973 41b065 46971->46973 46972 401eea 11 API calls 46972->46976 46975 41bfa9 28 API calls 46973->46975 46975->46957 46976->46957 46976->46961 46976->46969 46976->46972 47328 403b60 46976->47328 47331 41bfa9 46976->47331 46978 40e8ca 46977->46978 46980 40e8da 46978->46980 47381 40200a 11 API calls 46978->47381 46980->46653 46982 401d6c 46981->46982 46983 401d74 46982->46983 47382 401fff 28 API calls 46982->47382 46983->46660 46985 401d8b 46987 404ccb 46986->46987 47383 402e78 46987->47383 46989 404cee 46989->46667 47392 404bc4 46990->47392 46992 405cf4 46992->46670 46994 401efe 46993->46994 46996 401f0a 46994->46996 47401 4021b9 11 API calls 46994->47401 46996->46674 46999 401ec9 46997->46999 46998 401ee4 46998->46684 46999->46998 47000 402325 28 API calls 46999->47000 47000->46998 47402 401e8f 47001->47402 47003 40bee1 CreateMutexA GetLastError 47003->46700 47404 41b15b 47004->47404 47006 41a471 47408 412513 RegOpenKeyExA 47006->47408 47009 401eef 11 API calls 47010 41a49f 47009->47010 47011 401eea 11 API calls 47010->47011 47012 41a4a7 47011->47012 47013 41a4fa 47012->47013 47014 412513 31 API calls 47012->47014 47013->46706 47015 41a4cd 47014->47015 47016 41a4d8 StrToIntA 47015->47016 47017 41a4e6 47016->47017 47020 41a4ef 47016->47020 47413 41c102 22 API calls 47017->47413 47019 401eea 11 API calls 47019->47013 47020->47019 47022 40698f 47021->47022 47023 4124b7 3 API calls 47022->47023 47024 406996 47023->47024 47024->46716 47024->46717 47026 41ae1c 47025->47026 47414 40b027 47026->47414 47028 41ae24 47028->46731 47030 401e27 47029->47030 47032 401e33 47030->47032 47423 402121 11 API calls 47030->47423 47032->46734 47035 402121 47033->47035 47034 402150 47034->46737 47035->47034 47424 402718 11 API calls _Deallocate 47035->47424 47038 4128c0 47037->47038 47039 406052 28 API calls 47038->47039 47040 4128d5 47039->47040 47041 401fbd 28 API calls 47040->47041 47042 4128e5 47041->47042 47043 4126d2 14 API calls 47042->47043 47044 4128ef 47043->47044 47045 401eea 11 API calls 47044->47045 47046 4128fc 47045->47046 47046->46782 47048 401f6e 47047->47048 47425 402301 47048->47425 47052 412722 47051->47052 47054 4126eb 47051->47054 47053 401eea 11 API calls 47052->47053 47055 40dd3b 47053->47055 47056 4126fd RegSetValueExA RegCloseKey 47054->47056 47055->46784 47056->47052 47058 43a600 _strftime 47057->47058 47429 43993e 47058->47429 47060 40dd54 47060->46790 47060->46792 47062 41a737 47061->47062 47063 41a69c GetLocalTime 47061->47063 47065 401eea 11 API calls 47062->47065 47064 404cbf 28 API calls 47063->47064 47066 41a6de 47064->47066 47067 41a73f 47065->47067 47068 405ce6 28 API calls 47066->47068 47069 401eea 11 API calls 47067->47069 47070 41a6ea 47068->47070 47071 40ddaa 47069->47071 47457 4027cb 47070->47457 47071->46808 47073 41a6f6 47074 405ce6 28 API calls 47073->47074 47075 41a702 47074->47075 47460 406478 76 API calls 47075->47460 47077 41a710 47078 401eea 11 API calls 47077->47078 47079 41a71c 47078->47079 47080 401eea 11 API calls 47079->47080 47081 41a725 47080->47081 47082 401eea 11 API calls 47081->47082 47083 41a72e 47082->47083 47084 401eea 11 API calls 47083->47084 47084->47062 47086 409536 _wcslen 47085->47086 47087 409541 47086->47087 47088 409558 47086->47088 47089 40c89e 32 API calls 47087->47089 47090 40c89e 32 API calls 47088->47090 47091 409549 47089->47091 47092 409560 47090->47092 47093 401e18 11 API calls 47091->47093 47094 401e18 11 API calls 47092->47094 47109 409553 47093->47109 47095 40956e 47094->47095 47096 401e13 11 API calls 47095->47096 47097 409576 47096->47097 47480 40856b 28 API calls 47097->47480 47098 401e13 11 API calls 47100 4095ad 47098->47100 47465 409837 47100->47465 47101 409588 47481 4028cf 47101->47481 47105 409593 47106 401e18 11 API calls 47105->47106 47107 40959d 47106->47107 47108 401e13 11 API calls 47107->47108 47108->47109 47109->47098 47507 403b40 47110->47507 47114 41a7fd 47115 4028cf 28 API calls 47114->47115 47116 41a807 47115->47116 47117 401e13 11 API calls 47116->47117 47118 41a810 47117->47118 47119 401e13 11 API calls 47118->47119 47120 40dfc3 47119->47120 47120->46861 47122 40e08b 47121->47122 47123 41248f RegQueryValueExA RegCloseKey 47121->47123 47122->46889 47122->46891 47123->47122 47125 4125b0 RegQueryValueExW RegCloseKey 47124->47125 47126 4125dd 47124->47126 47125->47126 47127 403b40 28 API calls 47126->47127 47128 40e0ba 47127->47128 47128->46902 47130 412992 RegDeleteValueW 47129->47130 47131 4129a6 47129->47131 47130->47131 47132 4129a2 47130->47132 47131->46911 47132->46911 47134 40cbc5 47133->47134 47135 41246e 3 API calls 47134->47135 47136 40cbcc 47135->47136 47137 40cbeb 47136->47137 47534 401602 47136->47534 47141 413fd4 47137->47141 47139 40cbd9 47537 4127d5 RegCreateKeyA 47139->47537 47142 413feb 47141->47142 47551 41aa73 47142->47551 47144 413ff6 47145 401d64 28 API calls 47144->47145 47146 41400f 47145->47146 47147 43a5e7 _strftime 39 API calls 47146->47147 47148 41401c 47147->47148 47149 414021 Sleep 47148->47149 47150 41402e 47148->47150 47149->47150 47151 401f66 28 API calls 47150->47151 47152 41403d 47151->47152 47153 401d64 28 API calls 47152->47153 47154 41404b 47153->47154 47155 401fbd 28 API calls 47154->47155 47156 414053 47155->47156 47157 41afc3 28 API calls 47156->47157 47158 41405b 47157->47158 47555 404262 WSAStartup 47158->47555 47160 414065 47161 401d64 28 API calls 47160->47161 47162 41406e 47161->47162 47163 401d64 28 API calls 47162->47163 47194 4140ed 47162->47194 47164 414087 47163->47164 47165 401d64 28 API calls 47164->47165 47166 414098 47165->47166 47168 401d64 28 API calls 47166->47168 47167 41afc3 28 API calls 47167->47194 47169 4140a9 47168->47169 47171 401d64 28 API calls 47169->47171 47170 4085b4 28 API calls 47170->47194 47172 4140ba 47171->47172 47174 401d64 28 API calls 47172->47174 47173 4027cb 28 API calls 47173->47194 47176 4140cb 47174->47176 47175 401eef 11 API calls 47175->47194 47177 401d64 28 API calls 47176->47177 47178 4140dd 47177->47178 47697 404101 88 API calls 47178->47697 47180 405ce6 28 API calls 47180->47194 47181 401f66 28 API calls 47181->47194 47182 401d64 28 API calls 47182->47194 47184 414244 WSAGetLastError 47698 41bc76 30 API calls 47184->47698 47188 401f66 28 API calls 47190 414259 47188->47190 47190->47188 47192 41a686 79 API calls 47190->47192 47190->47194 47196 401d8c 11 API calls 47190->47196 47197 401d64 28 API calls 47190->47197 47198 43a5e7 _strftime 39 API calls 47190->47198 47232 414b22 CreateThread 47190->47232 47233 401eea 11 API calls 47190->47233 47234 401e13 11 API calls 47190->47234 47699 404c9e 28 API calls 47190->47699 47701 40a767 84 API calls 47190->47701 47702 4047eb 98 API calls 47190->47702 47192->47190 47194->47167 47194->47170 47194->47173 47194->47175 47194->47180 47194->47181 47194->47182 47194->47184 47194->47190 47195 404cbf 28 API calls 47194->47195 47200 41a686 79 API calls 47194->47200 47201 401eea 11 API calls 47194->47201 47204 4082dc 28 API calls 47194->47204 47206 401fbd 28 API calls 47194->47206 47207 41265d 3 API calls 47194->47207 47208 412513 31 API calls 47194->47208 47209 403b40 28 API calls 47194->47209 47214 401d64 28 API calls 47194->47214 47556 413f9a 47194->47556 47561 4041f1 47194->47561 47568 404915 47194->47568 47583 40428c connect 47194->47583 47643 41a96d 47194->47643 47646 413683 47194->47646 47649 440c51 47194->47649 47653 40cbf1 47194->47653 47659 41adee 47194->47659 47662 41aec8 47194->47662 47666 41ad46 47194->47666 47195->47194 47196->47190 47197->47190 47199 414b80 Sleep 47198->47199 47199->47190 47200->47194 47201->47194 47204->47194 47206->47194 47207->47194 47208->47194 47209->47194 47215 4144ed GetTickCount 47214->47215 47216 41ad46 28 API calls 47215->47216 47229 414507 47216->47229 47218 41ad46 28 API calls 47218->47229 47220 41aec8 28 API calls 47220->47229 47223 40275c 28 API calls 47223->47229 47224 405ce6 28 API calls 47224->47229 47225 4027cb 28 API calls 47225->47229 47227 401eea 11 API calls 47227->47229 47228 401e13 11 API calls 47228->47229 47229->47218 47229->47220 47229->47223 47229->47224 47229->47225 47229->47227 47229->47228 47671 41aca0 GetLastInputInfo GetTickCount 47229->47671 47672 41ac52 47229->47672 47677 40e679 GetLocaleInfoA 47229->47677 47680 4027ec 28 API calls 47229->47680 47681 4045d5 47229->47681 47700 404468 61 API calls ctype 47229->47700 47232->47190 47861 419e89 105 API calls 47232->47861 47233->47190 47234->47190 47235->46661 47236->46671 47239 4085c0 47238->47239 47240 402e78 28 API calls 47239->47240 47241 4085e4 47240->47241 47241->46692 47243 4124e1 RegQueryValueExA RegCloseKey 47242->47243 47244 41250b 47242->47244 47243->47244 47244->46688 47245->46695 47246->46724 47247->46717 47248->46708 47249->46722 47251 40c8ba 47250->47251 47252 40c8da 47251->47252 47253 40c90f 47251->47253 47273 40c8d0 47251->47273 47862 41a74b 29 API calls 47252->47862 47256 41b15b 2 API calls 47253->47256 47255 40ca03 GetLongPathNameW 47258 403b40 28 API calls 47255->47258 47259 40c914 47256->47259 47257 40c8e3 47260 401e18 11 API calls 47257->47260 47261 40ca18 47258->47261 47262 40c918 47259->47262 47263 40c96a 47259->47263 47264 40c8ed 47260->47264 47265 403b40 28 API calls 47261->47265 47267 403b40 28 API calls 47262->47267 47266 403b40 28 API calls 47263->47266 47271 401e13 11 API calls 47264->47271 47268 40ca27 47265->47268 47269 40c978 47266->47269 47270 40c926 47267->47270 47865 40cc37 28 API calls 47268->47865 47275 403b40 28 API calls 47269->47275 47276 403b40 28 API calls 47270->47276 47271->47273 47273->47255 47274 40ca3a 47866 402860 28 API calls 47274->47866 47279 40c98e 47275->47279 47280 40c93c 47276->47280 47278 40ca45 47867 402860 28 API calls 47278->47867 47864 402860 28 API calls 47279->47864 47863 402860 28 API calls 47280->47863 47284 40ca4f 47287 401e13 11 API calls 47284->47287 47285 40c999 47288 401e18 11 API calls 47285->47288 47286 40c947 47289 401e18 11 API calls 47286->47289 47290 40ca59 47287->47290 47291 40c9a4 47288->47291 47292 40c952 47289->47292 47293 401e13 11 API calls 47290->47293 47294 401e13 11 API calls 47291->47294 47295 401e13 11 API calls 47292->47295 47296 40ca62 47293->47296 47297 40c9ad 47294->47297 47298 40c95b 47295->47298 47299 401e13 11 API calls 47296->47299 47300 401e13 11 API calls 47297->47300 47301 401e13 11 API calls 47298->47301 47302 40ca6b 47299->47302 47300->47264 47301->47264 47303 401e13 11 API calls 47302->47303 47304 40ca74 47303->47304 47305 401e13 11 API calls 47304->47305 47306 40ca7d 47305->47306 47306->46770 47307->46783 47308->46804 47310 412683 RegQueryValueExA RegCloseKey 47309->47310 47311 4126a7 47309->47311 47310->47311 47311->46763 47312->46798 47313->46833 47314->46843 47315->46866 47316->46854 47317->46888 47319 401e0c 47318->47319 47320->46715 47323 40e183 47322->47323 47324 41a65c LoadResource LockResource SizeofResource 47322->47324 47323->46944 47324->47323 47326 401f86 28 API calls 47325->47326 47327 406066 47326->47327 47327->46955 47338 403c30 47328->47338 47332 41bfae 47331->47332 47333 41bfd2 47332->47333 47334 41bfcb 47332->47334 47354 41c552 47333->47354 47373 41bfe3 28 API calls 47334->47373 47336 41bfd0 47336->46976 47339 403c39 47338->47339 47342 403c59 47339->47342 47343 403c68 47342->47343 47348 4032a4 47343->47348 47345 403c74 47346 402325 28 API calls 47345->47346 47347 403b73 47346->47347 47347->46976 47349 4032b0 47348->47349 47350 4032ad 47348->47350 47353 4032b6 22 API calls 47349->47353 47350->47345 47355 41c55c __EH_prolog 47354->47355 47356 41c673 47355->47356 47357 41c595 47355->47357 47380 402649 22 API calls std::_Xinvalid_argument 47356->47380 47374 4026a7 28 API calls 47357->47374 47361 41c5a9 47375 41c536 28 API calls 47361->47375 47363 41c5dc 47364 41c603 47363->47364 47365 41c5f7 47363->47365 47377 41c7cf 11 API calls 47364->47377 47376 41c7b2 11 API calls 47365->47376 47368 41c601 47379 41c75a 11 API calls 47368->47379 47369 41c60f 47378 41c7cf 11 API calls 47369->47378 47372 41c63e 47372->47336 47373->47336 47374->47361 47375->47363 47376->47368 47377->47369 47378->47368 47379->47372 47381->46980 47382->46985 47384 402e85 47383->47384 47385 402e98 47384->47385 47387 402ea9 47384->47387 47388 402eae 47384->47388 47390 403445 28 API calls 47385->47390 47387->46989 47388->47387 47391 40225b 11 API calls 47388->47391 47390->47387 47391->47387 47393 404bd0 47392->47393 47396 40245c 47393->47396 47395 404be4 47395->46992 47397 402469 47396->47397 47399 402478 47397->47399 47400 402ad3 28 API calls 47397->47400 47399->47395 47400->47399 47401->46996 47403 401e94 47402->47403 47405 41b183 47404->47405 47406 41b168 GetCurrentProcess IsWow64Process 47404->47406 47405->47006 47406->47405 47407 41b17f 47406->47407 47407->47006 47409 412541 RegQueryValueExA RegCloseKey 47408->47409 47410 412569 47408->47410 47409->47410 47411 401f66 28 API calls 47410->47411 47412 41257e 47411->47412 47412->47009 47413->47020 47415 40b02f 47414->47415 47418 40b04b 47415->47418 47417 40b045 47417->47028 47419 40b055 47418->47419 47421 40b060 47419->47421 47422 40b138 28 API calls 47419->47422 47421->47417 47422->47421 47423->47032 47424->47034 47426 40230d 47425->47426 47427 402325 28 API calls 47426->47427 47428 401f80 47427->47428 47428->46776 47445 43a545 47429->47445 47431 43998b 47451 4392de 35 API calls 3 library calls 47431->47451 47432 439950 47432->47431 47433 439965 47432->47433 47444 43996a __wsopen_s 47432->47444 47450 445354 20 API calls _abort 47433->47450 47437 439997 47438 4399c6 47437->47438 47452 43a58a 39 API calls __Toupper 47437->47452 47441 439a32 47438->47441 47453 43a4f1 20 API calls 2 library calls 47438->47453 47454 43a4f1 20 API calls 2 library calls 47441->47454 47442 439af9 _strftime 47442->47444 47455 445354 20 API calls _abort 47442->47455 47444->47060 47446 43a54a 47445->47446 47447 43a55d 47445->47447 47456 445354 20 API calls _abort 47446->47456 47447->47432 47449 43a54f __wsopen_s 47449->47432 47450->47444 47451->47437 47452->47437 47453->47441 47454->47442 47455->47444 47456->47449 47461 401e9b 47457->47461 47459 4027d9 47459->47073 47460->47077 47462 401ea7 47461->47462 47463 40245c 28 API calls 47462->47463 47464 401eb9 47463->47464 47464->47459 47466 409855 47465->47466 47467 4124b7 3 API calls 47466->47467 47468 40985c 47467->47468 47469 409870 47468->47469 47470 40988a 47468->47470 47472 4095cf 47469->47472 47473 409875 47469->47473 47471 4082dc 28 API calls 47470->47471 47474 409898 47471->47474 47472->46827 47484 4082dc 47473->47484 47489 4098a5 85 API calls 47474->47489 47479 409888 47479->47472 47480->47101 47498 402d8b 47481->47498 47483 4028dd 47483->47105 47485 4082eb 47484->47485 47490 408431 47485->47490 47487 408309 47488 409959 29 API calls 47487->47488 47488->47479 47495 40999f 130 API calls 47488->47495 47489->47472 47496 4099b5 53 API calls 47489->47496 47497 4099a9 125 API calls 47489->47497 47492 40843d 47490->47492 47491 40845b 47491->47487 47492->47491 47494 402f0d 28 API calls 47492->47494 47494->47491 47499 402d97 47498->47499 47502 4030f7 47499->47502 47501 402dab 47501->47483 47503 403101 47502->47503 47505 403115 47503->47505 47506 4036c2 28 API calls 47503->47506 47505->47501 47506->47505 47508 403b48 47507->47508 47514 403b7a 47508->47514 47511 403cbb 47523 403dc2 47511->47523 47513 403cc9 47513->47114 47515 403b86 47514->47515 47518 403b9e 47515->47518 47517 403b5a 47517->47511 47519 403ba8 47518->47519 47521 403bb3 47519->47521 47522 403cfd 28 API calls 47519->47522 47521->47517 47522->47521 47524 403dce 47523->47524 47527 402ffd 47524->47527 47526 403de3 47526->47513 47528 40300e 47527->47528 47529 4032a4 22 API calls 47528->47529 47530 40301a 47529->47530 47532 40302e 47530->47532 47533 4035e8 28 API calls 47530->47533 47532->47526 47533->47532 47540 4395ba 47534->47540 47538 412814 47537->47538 47539 4127ed RegSetValueExA RegCloseKey 47537->47539 47538->47137 47539->47538 47543 43953b 47540->47543 47542 401608 47542->47139 47544 43954a 47543->47544 47545 43955e 47543->47545 47549 445354 20 API calls _abort 47544->47549 47548 43954f __alldvrm __wsopen_s 47545->47548 47550 447601 11 API calls 2 library calls 47545->47550 47548->47542 47549->47548 47550->47548 47554 41aab9 ctype ___scrt_fastfail 47551->47554 47552 401f66 28 API calls 47553 41ab2e 47552->47553 47553->47144 47554->47552 47555->47160 47557 413fb3 getaddrinfo WSASetLastError 47556->47557 47558 413fa9 47556->47558 47557->47194 47703 413e37 29 API calls ___std_exception_copy 47558->47703 47560 413fae 47560->47557 47562 404206 socket 47561->47562 47563 4041fd 47561->47563 47565 404220 47562->47565 47566 404224 CreateEventW 47562->47566 47704 404262 WSAStartup 47563->47704 47565->47194 47566->47194 47567 404202 47567->47562 47567->47565 47569 40492a 47568->47569 47570 4049b1 47568->47570 47571 404933 47569->47571 47572 404987 CreateEventA CreateThread 47569->47572 47573 404942 GetLocalTime 47569->47573 47570->47194 47571->47572 47572->47570 47706 404b1d 47572->47706 47574 41ad46 28 API calls 47573->47574 47575 40495b 47574->47575 47705 404c9e 28 API calls 47575->47705 47577 404968 47578 401f66 28 API calls 47577->47578 47579 404977 47578->47579 47580 41a686 79 API calls 47579->47580 47581 40497c 47580->47581 47582 401eea 11 API calls 47581->47582 47582->47572 47584 4043e1 47583->47584 47585 4042b3 47583->47585 47586 404343 47584->47586 47587 4043e7 WSAGetLastError 47584->47587 47585->47586 47589 404cbf 28 API calls 47585->47589 47609 4042e8 47585->47609 47586->47194 47587->47586 47588 4043f7 47587->47588 47590 4042f7 47588->47590 47591 4043fc 47588->47591 47593 4042d4 47589->47593 47596 401f66 28 API calls 47590->47596 47715 41bc76 30 API calls 47591->47715 47597 401f66 28 API calls 47593->47597 47595 4042f0 47595->47590 47599 404306 47595->47599 47600 404448 47596->47600 47601 4042e3 47597->47601 47598 40440b 47716 404c9e 28 API calls 47598->47716 47606 404315 47599->47606 47607 40434c 47599->47607 47603 401f66 28 API calls 47600->47603 47604 41a686 79 API calls 47601->47604 47608 404457 47603->47608 47604->47609 47605 404418 47610 401f66 28 API calls 47605->47610 47611 401f66 28 API calls 47606->47611 47712 420f34 54 API calls 47607->47712 47612 41a686 79 API calls 47608->47612 47710 420151 27 API calls 47609->47710 47614 404427 47610->47614 47615 404324 47611->47615 47612->47586 47617 41a686 79 API calls 47614->47617 47621 401f66 28 API calls 47615->47621 47616 404354 47618 404389 47616->47618 47619 404359 47616->47619 47620 40442c 47617->47620 47714 4202ea 28 API calls 47618->47714 47622 401f66 28 API calls 47619->47622 47623 401eea 11 API calls 47620->47623 47624 404333 47621->47624 47626 404368 47622->47626 47623->47586 47627 41a686 79 API calls 47624->47627 47629 401f66 28 API calls 47626->47629 47630 404338 47627->47630 47628 404391 47631 4043be CreateEventW CreateEventW 47628->47631 47633 401f66 28 API calls 47628->47633 47632 404377 47629->47632 47711 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47630->47711 47631->47586 47634 41a686 79 API calls 47632->47634 47636 4043a7 47633->47636 47637 40437c 47634->47637 47638 401f66 28 API calls 47636->47638 47713 420592 52 API calls 47637->47713 47639 4043b6 47638->47639 47641 41a686 79 API calls 47639->47641 47642 4043bb 47641->47642 47642->47631 47717 41a945 GlobalMemoryStatusEx 47643->47717 47645 41a982 47645->47194 47718 413646 47646->47718 47650 440c5d 47649->47650 47756 440a4d 47650->47756 47652 440c7e 47652->47194 47654 40cc0d 47653->47654 47655 41246e 3 API calls 47654->47655 47656 40cc14 47655->47656 47657 4124b7 3 API calls 47656->47657 47658 40cc2c 47656->47658 47657->47658 47658->47194 47660 401f86 28 API calls 47659->47660 47661 41ae03 47660->47661 47661->47194 47663 41aed5 47662->47663 47664 401f86 28 API calls 47663->47664 47665 41aee7 47664->47665 47665->47194 47667 440c51 20 API calls 47666->47667 47668 41ad67 47667->47668 47669 401f66 28 API calls 47668->47669 47670 41ad75 47669->47670 47670->47194 47671->47229 47673 436050 ___scrt_fastfail 47672->47673 47674 41ac71 GetForegroundWindow GetWindowTextW 47673->47674 47675 403b40 28 API calls 47674->47675 47676 41ac9b 47675->47676 47676->47229 47678 401f66 28 API calls 47677->47678 47679 40e69e 47678->47679 47679->47229 47680->47229 47689 4045ec 47681->47689 47682 43a88c ___crtLCMapStringA 21 API calls 47682->47689 47684 40465b 47686 404666 47684->47686 47684->47689 47685 401f86 28 API calls 47685->47689 47773 4047eb 98 API calls 47686->47773 47687 401eef 11 API calls 47687->47689 47689->47682 47689->47684 47689->47685 47689->47687 47691 401eea 11 API calls 47689->47691 47761 404688 47689->47761 47772 40455b 57 API calls 47689->47772 47690 40466d 47692 401eea 11 API calls 47690->47692 47691->47689 47693 404676 47692->47693 47694 401eea 11 API calls 47693->47694 47695 40467f 47694->47695 47695->47190 47697->47194 47698->47190 47699->47190 47700->47229 47701->47190 47702->47190 47703->47560 47704->47567 47705->47577 47709 404b29 101 API calls 47706->47709 47708 404b26 47709->47708 47710->47595 47711->47586 47712->47616 47713->47630 47714->47628 47715->47598 47716->47605 47717->47645 47721 413619 47718->47721 47722 41362e ___scrt_initialize_default_local_stdio_options 47721->47722 47725 43e2dd 47722->47725 47728 43b030 47725->47728 47729 43b070 47728->47729 47730 43b058 47728->47730 47729->47730 47732 43b078 47729->47732 47750 445354 20 API calls _abort 47730->47750 47751 4392de 35 API calls 3 library calls 47732->47751 47734 43b088 47752 43b7b6 20 API calls 2 library calls 47734->47752 47735 43b05d __wsopen_s 47743 433d2c 47735->47743 47738 41363c 47738->47194 47739 43b100 47753 43be24 50 API calls 3 library calls 47739->47753 47741 43b10b 47754 43b820 20 API calls _free 47741->47754 47744 433d37 IsProcessorFeaturePresent 47743->47744 47745 433d35 47743->47745 47747 4341a4 47744->47747 47745->47738 47755 434168 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47747->47755 47749 434287 47749->47738 47750->47735 47751->47734 47752->47739 47753->47741 47754->47735 47755->47749 47757 440a64 47756->47757 47759 440a9b __wsopen_s 47757->47759 47760 445354 20 API calls _abort 47757->47760 47759->47652 47760->47759 47766 4046a3 47761->47766 47762 4047d8 47763 401eea 11 API calls 47762->47763 47764 4047e1 47763->47764 47764->47684 47765 403b60 28 API calls 47765->47766 47766->47762 47766->47765 47767 401eef 11 API calls 47766->47767 47768 401fbd 28 API calls 47766->47768 47769 401ebd 28 API calls 47766->47769 47771 401eea 11 API calls 47766->47771 47767->47766 47768->47766 47770 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 47769->47770 47770->47766 47774 414b9b 47770->47774 47771->47766 47772->47689 47773->47690 47775 401fbd 28 API calls 47774->47775 47776 414bbd SetEvent 47775->47776 47777 414bd2 47776->47777 47778 403b60 28 API calls 47777->47778 47779 414bec 47778->47779 47780 401fbd 28 API calls 47779->47780 47781 414bfc 47780->47781 47782 401fbd 28 API calls 47781->47782 47783 414c0e 47782->47783 47784 41afc3 28 API calls 47783->47784 47785 414c17 47784->47785 47786 4161f2 47785->47786 47788 414de3 47785->47788 47789 414c37 GetTickCount 47785->47789 47787 401d8c 11 API calls 47786->47787 47790 4161fb 47787->47790 47788->47786 47848 414d99 47788->47848 47791 41ad46 28 API calls 47789->47791 47792 401eea 11 API calls 47790->47792 47793 414c4d 47791->47793 47796 416207 47792->47796 47853 41aca0 GetLastInputInfo GetTickCount 47793->47853 47795 414d7d 47795->47786 47799 401eea 11 API calls 47796->47799 47798 414c54 47800 41ad46 28 API calls 47798->47800 47801 416213 47799->47801 47802 414c5f 47800->47802 47803 41ac52 30 API calls 47802->47803 47804 414c6d 47803->47804 47805 41aec8 28 API calls 47804->47805 47806 414c7b 47805->47806 47807 401d64 28 API calls 47806->47807 47808 414c89 47807->47808 47854 4027ec 28 API calls 47808->47854 47810 414c97 47855 40275c 28 API calls 47810->47855 47812 414ca6 47813 4027cb 28 API calls 47812->47813 47814 414cb5 47813->47814 47856 40275c 28 API calls 47814->47856 47816 414cc4 47817 4027cb 28 API calls 47816->47817 47818 414cd0 47817->47818 47857 40275c 28 API calls 47818->47857 47820 414cda 47858 404468 61 API calls ctype 47820->47858 47822 414ce9 47823 401eea 11 API calls 47822->47823 47824 414cf2 47823->47824 47825 401eea 11 API calls 47824->47825 47826 414cfe 47825->47826 47827 401eea 11 API calls 47826->47827 47828 414d0a 47827->47828 47829 401eea 11 API calls 47828->47829 47830 414d16 47829->47830 47831 401eea 11 API calls 47830->47831 47832 414d22 47831->47832 47833 401eea 11 API calls 47832->47833 47834 414d2e 47833->47834 47835 401e13 11 API calls 47834->47835 47836 414d3a 47835->47836 47837 401eea 11 API calls 47836->47837 47838 414d43 47837->47838 47839 401eea 11 API calls 47838->47839 47840 414d4c 47839->47840 47841 401d64 28 API calls 47840->47841 47842 414d57 47841->47842 47843 43a5e7 _strftime 39 API calls 47842->47843 47844 414d64 47843->47844 47845 414d69 47844->47845 47846 414d8f 47844->47846 47849 414d82 47845->47849 47850 414d77 47845->47850 47847 401d64 28 API calls 47846->47847 47847->47848 47848->47786 47860 404ab1 83 API calls 47848->47860 47852 404915 104 API calls 47849->47852 47859 4049ba 81 API calls 47850->47859 47852->47795 47853->47798 47854->47810 47855->47812 47856->47816 47857->47820 47858->47822 47859->47795 47860->47795 47862->47257 47863->47286 47864->47285 47865->47274 47866->47278 47867->47284 47870 40e56a 47868->47870 47869 4124b7 3 API calls 47869->47870 47870->47869 47871 40e60e 47870->47871 47873 40e5fe Sleep 47870->47873 47878 40e59c 47870->47878 47874 4082dc 28 API calls 47871->47874 47872 4082dc 28 API calls 47872->47878 47873->47870 47877 40e619 47874->47877 47876 41ae08 28 API calls 47876->47878 47879 41ae08 28 API calls 47877->47879 47878->47872 47878->47873 47878->47876 47883 401e13 11 API calls 47878->47883 47886 401f66 28 API calls 47878->47886 47890 4126d2 14 API calls 47878->47890 47901 40bf04 73 API calls ___scrt_fastfail 47878->47901 47902 412774 14 API calls 47878->47902 47881 40e625 47879->47881 47903 412774 14 API calls 47881->47903 47883->47878 47884 40e638 47885 401e13 11 API calls 47884->47885 47887 40e644 47885->47887 47886->47878 47888 401f66 28 API calls 47887->47888 47889 40e655 47888->47889 47891 4126d2 14 API calls 47889->47891 47890->47878 47892 40e668 47891->47892 47904 411699 TerminateProcess WaitForSingleObject 47892->47904 47894 40e670 ExitProcess 47905 411637 62 API calls 47897->47905 47902->47878 47903->47884 47904->47894

                                        Executed Functions

                                        Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                        • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                        • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                        • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                        • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                        • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                        • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                        • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                        • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                        • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                        • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$HandleLibraryLoadModule
                                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                        • API String ID: 384173800-625181639
                                        • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                        • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                        • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                        • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                                        Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 100 40e134-40e154 call 401e8f call 412902 call 4112b5 70->100 88 40d9b5-40d9bc 79->88 89 40d9ae-40d9b0 79->89 80->79 99 40d98e-40d9a4 call 401e8f call 412902 80->99 94 40d9c0-40d9cc call 41a463 88->94 95 40d9be 88->95 93 40dc95 89->93 93->49 104 40d9d5-40d9d9 94->104 105 40d9ce-40d9d0 94->105 95->94 99->79 108 40da18-40da2b call 401d64 call 401e8f 104->108 109 40d9db call 40697b 104->109 105->104 127 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 108->127 128 40da2d call 4069ba 108->128 117 40d9e0-40d9e2 109->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->108 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 127->164 128->127 138->108 140 40da0b-40da11 138->140 140->108 142 40da13 call 4064d0 140->142 142->108 166 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->166 167 40db2c-40db33 163->167 164->163 190 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->190 220 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 166->220 169 40dbb1-40dbbb call 4082d7 167->169 170 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 167->170 176 40dbc0-40dbe4 call 4022f8 call 4338c8 169->176 170->176 197 40dbf3 176->197 198 40dbe6-40dbf1 call 436050 176->198 190->163 203 40dbf5-40dc40 call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 197->203 198->203 258 40dc45-40dc6a call 4338d1 call 401d64 call 40b125 203->258 272 40dd79-40dd7b 220->272 273 40dd5e 220->273 258->220 274 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 258->274 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41beb0 CreateThread 273->275 274->220 292 40dc93 274->292 281 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->281 276->281 277->275 330 40dea1 281->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 281->331 292->93 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 343 40def9-40df0c call 401d64 call 401e8f 332->343 344 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 332->344 353 40df6c-40df7f call 401d64 call 401e8f 343->353 354 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 343->354 344->343 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 353->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 353->366 354->353 365->366 386 40dfe0-40dfe1 SetProcessDEPPolicy 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 391 40e004-40e00b 387->391 392 40dff8-40e002 CreateThread 387->392 396 40e019-40e020 391->396 397 40e00d-40e017 CreateThread 391->397 392->391 398 40e022-40e025 396->398 399 40e033-40e038 396->399 397->396 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 413 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->100 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 437 40e0db-40e0e8 Sleep call 401e07 435->437 437->433
                                        APIs
                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                          • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                          • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                          • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe,00000104), ref: 0040D790
                                          • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                        • String ID: 0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-P8SKN0$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                        • API String ID: 2830904901-4073524345
                                        • Opcode ID: 1feaa221af3d9bc0dfd4d7f5600e6996a43797c6942cd3562ac271a2f27e0721
                                        • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                        • Opcode Fuzzy Hash: 1feaa221af3d9bc0dfd4d7f5600e6996a43797c6942cd3562ac271a2f27e0721
                                        • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                        Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                          • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                          • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                        • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                        • ExitProcess.KERNEL32 ref: 0040E672
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseExitOpenProcessQuerySleepValue
                                        • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                        • API String ID: 2281282204-3981147832
                                        • Opcode ID: 2461c045ef1dac3841d48b1deb4288f8669071a9a0de27c7ec177a3bdcb1d130
                                        • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                        • Opcode Fuzzy Hash: 2461c045ef1dac3841d48b1deb4288f8669071a9a0de27c7ec177a3bdcb1d130
                                        • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                        Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1180 404915-404924 1181 4049b1 1180->1181 1182 40492a-404931 1180->1182 1183 4049b3-4049b7 1181->1183 1184 404933-404937 1182->1184 1185 404939-404940 1182->1185 1186 404987-4049af CreateEventA CreateThread 1184->1186 1185->1186 1187 404942-404982 GetLocalTime call 41ad46 call 404c9e call 401f66 call 41a686 call 401eea 1185->1187 1186->1183 1187->1186
                                        APIs
                                        • GetLocalTime.KERNEL32(00000001,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404946
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404994
                                        • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                        Strings
                                        • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Create$EventLocalThreadTime
                                        • String ID: KeepAlive | Enabled | Timeout:
                                        • API String ID: 2532271599-1507639952
                                        • Opcode ID: a3e7f950c272db367cf57d75ad6eacd40f192a8e07bfc195eb29d972b055aac3
                                        • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                        • Opcode Fuzzy Hash: a3e7f950c272db367cf57d75ad6eacd40f192a8e07bfc195eb29d972b055aac3
                                        • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                        Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                        • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                        • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Crypt$Context$AcquireRandomRelease
                                        • String ID:
                                        • API String ID: 1815803762-0
                                        • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                        • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                        • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                        • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                        Function 0041A7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7BF
                                        • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Name$ComputerUser
                                        • String ID:
                                        • API String ID: 4229901323-0
                                        • Opcode ID: cde94d6ab6d559736168707b99f603480b027a4e5b0d27f6afb59f5a93c8ae6f
                                        • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                        • Opcode Fuzzy Hash: cde94d6ab6d559736168707b99f603480b027a4e5b0d27f6afb59f5a93c8ae6f
                                        • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                        Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID:
                                        • API String ID: 2299586839-0
                                        • Opcode ID: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                        • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                        • Opcode Fuzzy Hash: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                        • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                        Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: recv
                                        • String ID:
                                        • API String ID: 1507349165-0
                                        • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                        • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                        • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                        • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                        Function 00413FD4 Relevance: 53.3, APIs: 5, Strings: 25, Instructions: 813sleepnetworkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 447 413fd4-41401f call 401faa call 41aa73 call 401faa call 401d64 call 401e8f call 43a5e7 460 414021-414028 Sleep 447->460 461 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afc3 call 404262 call 401d64 call 40b125 447->461 460->461 476 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afc3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 461->476 477 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 461->477 530 41419a-4141a1 476->530 531 41418c-414198 476->531 477->476 532 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 530->532 531->532 559 414244-41428a WSAGetLastError call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 532->559 560 41428f-41429d call 4041f1 532->560 583 414b54-414b66 call 4047eb call 4020b4 559->583 565 4142ca-4142df call 404915 call 40428c 560->565 566 41429f-4142c5 call 401f66 * 2 call 41a686 560->566 582 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 4 call 41a96d call 413683 call 4082dc call 440c51 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 565->582 565->583 566->583 647 414434-414441 call 40541d 582->647 648 414446-41446d call 401e8f call 412513 582->648 596 414b68-414b88 call 401d64 call 401e8f call 43a5e7 Sleep 583->596 597 414b8e-414b96 call 401d8c 583->597 596->597 597->476 647->648 654 414474-414830 call 403b40 call 40cbf1 call 41adee call 41aec8 call 41ad46 call 401d64 GetTickCount call 41ad46 call 41aca0 call 41ad46 * 2 call 41ac52 call 41aec8 * 5 call 40e679 call 41aec8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c 648->654 655 41446f-414471 648->655 781 414832 call 404468 654->781 655->654 782 414837-414abb call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 781->782 900 414ac0-414ac7 782->900 901 414ac9-414ad0 900->901 902 414adb-414ae2 900->902 901->902 905 414ad2-414ad4 901->905 903 414ae4-414ae9 call 40a767 902->903 904 414aee-414b20 call 405415 call 401f66 * 2 call 41a686 902->904 903->904 916 414b22-414b2e CreateThread 904->916 917 414b34-414b4f call 401eea * 2 call 401e13 904->917 905->902 916->917 917->583
                                        APIs
                                        • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                                        • WSAGetLastError.WS2_32 ref: 00414249
                                        • Sleep.KERNEL32(00000000,00000002), ref: 00414B88
                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep$ErrorLastLocalTime
                                        • String ID: | $%I64u$5.3.0 Pro$@CG$C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-P8SKN0$TLS Off$TLS On $TUF$XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
                                        • API String ID: 524882891-2375169105
                                        • Opcode ID: d79de26a779f686b336a9291a7a0958190edcc596465beed7075f6d51faa966c
                                        • Instruction ID: a0bb0b13232d9f5991351636829aab2dda2428bc81dc0b9639db3628de0ead2f
                                        • Opcode Fuzzy Hash: d79de26a779f686b336a9291a7a0958190edcc596465beed7075f6d51faa966c
                                        • Instruction Fuzzy Hash: 58524E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D
                                        Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • connect.WS2_32(?,?,?), ref: 004042A5
                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                        • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                        • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                        • API String ID: 994465650-2151626615
                                        • Opcode ID: f03c8509d3d8fad9def1ca513e61ca79f1b7eacbb3df97a90e8aaf4e536afa37
                                        • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                        • Opcode Fuzzy Hash: f03c8509d3d8fad9def1ca513e61ca79f1b7eacbb3df97a90e8aaf4e536afa37
                                        • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                        Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 999 40c89e-40c8c3 call 401e52 1002 40c8c9 999->1002 1003 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 999->1003 1005 40c8d0-40c8d5 1002->1005 1006 40c9c2-40c9c7 1002->1006 1007 40c905-40c90a 1002->1007 1008 40c9d8 1002->1008 1009 40c9c9-40c9ce call 43ac0f 1002->1009 1010 40c8da-40c8e8 call 41a74b call 401e18 1002->1010 1011 40c8fb-40c900 1002->1011 1012 40c9bb-40c9c0 1002->1012 1013 40c90f-40c916 call 41b15b 1002->1013 1027 40ca18-40ca85 call 403b40 call 40cc37 call 402860 * 2 call 401e13 * 5 1003->1027 1014 40c9dd-40c9e2 call 43ac0f 1005->1014 1006->1014 1007->1014 1008->1014 1023 40c9d3-40c9d6 1009->1023 1030 40c8ed 1010->1030 1011->1014 1012->1014 1028 40c918-40c968 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1013->1028 1029 40c96a-40c9b6 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1013->1029 1024 40c9e3-40c9e8 call 4082d7 1014->1024 1023->1008 1023->1024 1024->1003 1035 40c8f1-40c8f6 call 401e13 1028->1035 1029->1030 1030->1035 1035->1003
                                        APIs
                                        • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LongNamePath
                                        • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                        • API String ID: 82841172-425784914
                                        • Opcode ID: 3954268d7dffdf0489eff235fb9ef20efbe8d8525197cc8e6b2bb3884c319527
                                        • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                        • Opcode Fuzzy Hash: 3954268d7dffdf0489eff235fb9ef20efbe8d8525197cc8e6b2bb3884c319527
                                        • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                                        Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1128 41a51b-41a55a call 401faa call 43a88c InternetOpenW InternetOpenUrlW 1133 41a55c-41a57d InternetReadFile 1128->1133 1134 41a5a3-41a5a6 1133->1134 1135 41a57f-41a59f call 401f86 call 402f08 call 401eea 1133->1135 1137 41a5a8-41a5aa 1134->1137 1138 41a5ac-41a5b9 InternetCloseHandle * 2 call 43a887 1134->1138 1135->1134 1137->1133 1137->1138 1141 41a5be-41a5c8 1138->1141
                                        APIs
                                        • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                        • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                        • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                        • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                        • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                        Strings
                                        • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleOpen$FileRead
                                        • String ID: http://geoplugin.net/json.gp
                                        • API String ID: 3121278467-91888290
                                        • Opcode ID: 81d223db7a10aaafd7e6a627cfc55d421c136ef7c8999dc0e37a4e81b462d2eb
                                        • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                        • Opcode Fuzzy Hash: 81d223db7a10aaafd7e6a627cfc55d421c136ef7c8999dc0e37a4e81b462d2eb
                                        • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                        Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                          • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                          • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                          • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                          • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                        • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseCurrentOpenQueryValueWow64
                                        • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                        • API String ID: 782494840-2070987746
                                        • Opcode ID: eb82b16e455e46c92d21ec429c6106dbc105de308256bd562829d2ba96868022
                                        • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                        • Opcode Fuzzy Hash: eb82b16e455e46c92d21ec429c6106dbc105de308256bd562829d2ba96868022
                                        • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                        Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1170 4126d2-4126e9 RegCreateKeyA 1171 412722 1170->1171 1172 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1170->1172 1174 412724-412730 call 401eea 1171->1174 1172->1174
                                        APIs
                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                        • RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                        • RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateValue
                                        • String ID: HgF$pth_unenc
                                        • API String ID: 1818849710-3662775637
                                        • Opcode ID: a2911adf149f4ff0fb5c5b3016a1b85bb29373ab4e6be0bfdd94a86c77153940
                                        • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                        • Opcode Fuzzy Hash: a2911adf149f4ff0fb5c5b3016a1b85bb29373ab4e6be0bfdd94a86c77153940
                                        • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                        Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1197 4127d5-4127eb RegCreateKeyA 1198 412818-41281b 1197->1198 1199 4127ed-412812 RegSetValueExA RegCloseKey 1197->1199 1199->1198 1200 412814-412817 1199->1200
                                        APIs
                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                        • RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                        • RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateValue
                                        • String ID: TUF
                                        • API String ID: 1818849710-3431404234
                                        • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                        • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                        • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                        • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                        Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                        • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                        • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                        • String ID:
                                        • API String ID: 3360349984-0
                                        • Opcode ID: 28f38d22dd471eae734ee01c0b9ab445b8b72f9d210e2febb80c5f1ad5ca8615
                                        • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                        • Opcode Fuzzy Hash: 28f38d22dd471eae734ee01c0b9ab445b8b72f9d210e2febb80c5f1ad5ca8615
                                        • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                        Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CountEventTick
                                        • String ID: >G
                                        • API String ID: 180926312-1296849874
                                        • Opcode ID: d6e5bdbd5cb3b3f853eb604e84fe663914c82355b9bf1b000e538a1ed6d4d9f2
                                        • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                        • Opcode Fuzzy Hash: d6e5bdbd5cb3b3f853eb604e84fe663914c82355b9bf1b000e538a1ed6d4d9f2
                                        • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                        Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1340 40bed7-40bf03 call 401e8f CreateMutexA GetLastError
                                        APIs
                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                        • GetLastError.KERNEL32 ref: 0040BEF1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateErrorLastMutex
                                        • String ID: Rmc-P8SKN0
                                        • API String ID: 1925916568-1942146062
                                        • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                        • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                        • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                        • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                        Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1343 412513-41253f RegOpenKeyExA 1344 412541-412567 RegQueryValueExA RegCloseKey 1343->1344 1345 412572 1343->1345 1344->1345 1346 412569-412570 1344->1346 1347 412577-412583 call 401f66 1345->1347 1346->1347
                                        APIs
                                        • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                        • RegCloseKey.KERNEL32(?), ref: 0041255F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                        • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                        • Opcode Fuzzy Hash: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                        • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                        Function 0041265D Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                        • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                        • RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: e356916b1740155a69653a68473027dca2ca6835ab0d3846d735c0fff301d5eb
                                        • Instruction ID: c18416eb0b1572374c3e2b3be0649ca89fc6f9e16ed4320a44d925c8ae57db2a
                                        • Opcode Fuzzy Hash: e356916b1740155a69653a68473027dca2ca6835ab0d3846d735c0fff301d5eb
                                        • Instruction Fuzzy Hash: BD018131404229FBDF216FA1DC45DDF7F78EF11754F004065BA04A21A1D7758AB5DBA8
                                        Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                        • RegCloseKey.KERNEL32(?), ref: 00412500
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                        • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                        • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                        • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                        Function 0044E1BE Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetEnvironmentStringsW.KERNEL32 ref: 0044E1C2
                                        • _free.LIBCMT ref: 0044E1FB
                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E202
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: EnvironmentStrings$Free_free
                                        • String ID:
                                        • API String ID: 2716640707-0
                                        • Opcode ID: 032fcb4f66621f9a486cbfb9aa35bb7b186a8ceb34f2922937091fe798fd91d5
                                        • Instruction ID: bde093253d31ff8e435db0bb20b1dc60884eb56c9c20eb6ac573b4202a4b54cd
                                        • Opcode Fuzzy Hash: 032fcb4f66621f9a486cbfb9aa35bb7b186a8ceb34f2922937091fe798fd91d5
                                        • Instruction Fuzzy Hash: B8E0653714492126F211362B7C89D6F2A1DEFC2775B26013AF50596243EE688D0641EA
                                        Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                        • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                        • RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID:
                                        • API String ID: 3677997916-0
                                        • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                        • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                        • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                        • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                        Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _wcslen
                                        • String ID: xAG
                                        • API String ID: 176396367-2759412365
                                        • Opcode ID: ff637472b7ef91eb79cf1c791d23dde74da6086b31a6c5428193f8d367aac764
                                        • Instruction ID: 4b5f0267b16b6d1f94f05398eea60063c36f9fdec9e789d07f1c8464d26cb595
                                        • Opcode Fuzzy Hash: ff637472b7ef91eb79cf1c791d23dde74da6086b31a6c5428193f8d367aac764
                                        • Instruction Fuzzy Hash: 751193325002049FCB15FF66D8968EF7BA4EF64314B10453FF842622E2EF38A955CB98
                                        Function 0041A945 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A959
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: GlobalMemoryStatus
                                        • String ID: @
                                        • API String ID: 1890195054-2766056989
                                        • Opcode ID: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                        • Instruction ID: dd145fffdacd7bda74fa2c6e5abe56fe406d4b7e613986be5c07feff288e4f4e
                                        • Opcode Fuzzy Hash: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                        • Instruction Fuzzy Hash: EFD067B99013189FCB20DFA8E945A8DBBF8FB48214F004529E946E3344E774E945CB95
                                        Function 0044B9BE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 0044B9DF
                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                        • HeapReAlloc.KERNEL32(00000000,?,00000000,?,0000000F,?,00431FD7,00000000,0000000F,0042EA3D,?,?,00430AA6,?,00000000), ref: 0044BA1B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocAllocate_free
                                        • String ID:
                                        • API String ID: 2447670028-0
                                        • Opcode ID: f9850f2e4451b66dc1836ae2daa4b0b8db6d154ee956e2f6ea7b1b5ba2d488f5
                                        • Instruction ID: 12956794463f81a5c067cbc08b9f94d22fea268b9007f3edb04f63306941b305
                                        • Opcode Fuzzy Hash: f9850f2e4451b66dc1836ae2daa4b0b8db6d154ee956e2f6ea7b1b5ba2d488f5
                                        • Instruction Fuzzy Hash: D6F0F67210051167FF212A27AC01B6B2B2CDFC27B1F15012BFA18AA292DF6CCC0191EE
                                        Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • socket.WS2_32(?,00000001,00000006), ref: 00404212
                                          • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateEventStartupsocket
                                        • String ID:
                                        • API String ID: 1953588214-0
                                        • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                        • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                        • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                        • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                        Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                          • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,?,>C,00000000,00000000,?,?,?,?,?,?,00433E09,?,0046D5EC), ref: 00437C37
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Exception@8Throw$ExceptionRaise
                                        • String ID:
                                        • API String ID: 3476068407-0
                                        • Opcode ID: 02f9a842f842a715d987613c720c18d86e9d620b05cc95bf3092e1ce2b61825f
                                        • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                        • Opcode Fuzzy Hash: 02f9a842f842a715d987613c720c18d86e9d620b05cc95bf3092e1ce2b61825f
                                        • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                        Function 0041AC52 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32 ref: 0041AC74
                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AC87
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$ForegroundText
                                        • String ID:
                                        • API String ID: 29597999-0
                                        • Opcode ID: 8a79a7386f37e374dce250e4fcdef39063f35a229190475e51bbbfed219b13a7
                                        • Instruction ID: 3cf16c2a8257e52241c70e3f2477159e0ff99a2dafdd86ddfb3cfc0a4d760bbd
                                        • Opcode Fuzzy Hash: 8a79a7386f37e374dce250e4fcdef39063f35a229190475e51bbbfed219b13a7
                                        • Instruction Fuzzy Hash: 56E04875A0031467EB24A765AC4EFDA766C9704715F0000B9BA19D21C3E9B4EA04CBE4
                                        Function 00413F9A Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • getaddrinfo.WS2_32(00000000,00000000,00000000,00471B28,00474358,00000000,00414240,00000000,00000001), ref: 00413FBC
                                        • WSASetLastError.WS2_32(00000000), ref: 00413FC1
                                          • Part of subcall function 00413E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                          • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                          • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                          • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                          • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413F27
                                          • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                          • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                          • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                        • String ID:
                                        • API String ID: 1170566393-0
                                        • Opcode ID: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                        • Instruction ID: 9c65b6197a0e8ce5e429e224625e4c370c9a1848c9e97f9a588a6d75e163472b
                                        • Opcode Fuzzy Hash: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                        • Instruction Fuzzy Hash: 4ED05B326406216FB310575D6D01FFBB5DCDFA67617150077F408D7110D6945D82C3AD
                                        Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeap
                                        • String ID:
                                        • API String ID: 1279760036-0
                                        • Opcode ID: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                                        • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                        • Opcode Fuzzy Hash: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                                        • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF
                                        Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Startup
                                        • String ID:
                                        • API String ID: 724789610-0
                                        • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                        • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                        • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                        • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                        Function 0042610E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: send
                                        • String ID:
                                        • API String ID: 2809346765-0
                                        • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                        • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                        • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                        • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36

                                        Non-executed Functions

                                        Function 00406F06 Relevance: 48.1, APIs: 10, Strings: 17, Instructions: 849filesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetEvent.KERNEL32(?), ref: 00406F28
                                        • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                        • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                          • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                          • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                          • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                          • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                          • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                          • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                          • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                          • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                          • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                          • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                          • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000304,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                          • Part of subcall function 00404468: SetEvent.KERNEL32(00000304,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                        • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                        • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                        • DeleteFileA.KERNEL32(?), ref: 004078CC
                                          • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                          • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                          • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                        • Sleep.KERNEL32(000007D0), ref: 00407976
                                        • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                          • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                        • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$TTF$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                        • API String ID: 2918587301-184849705
                                        • Opcode ID: 1e4bacb3a1013d1a09878f753a9957424721611ff69a72a630711e1f66ce10f8
                                        • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                        • Opcode Fuzzy Hash: 1e4bacb3a1013d1a09878f753a9957424721611ff69a72a630711e1f66ce10f8
                                        • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                        Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 0040508E
                                          • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                          • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                          • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                        • __Init_thread_footer.LIBCMT ref: 004050CB
                                        • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                        • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                          • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                          • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                        • Sleep.KERNEL32(0000012C,00000093), ref: 0040523F
                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                          • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                        • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                        • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                        • CloseHandle.KERNEL32 ref: 004053CD
                                        • CloseHandle.KERNEL32 ref: 004053D5
                                        • CloseHandle.KERNEL32 ref: 004053E7
                                        • CloseHandle.KERNEL32 ref: 004053EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                        • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                        • API String ID: 3815868655-81343324
                                        • Opcode ID: 180b0dffe35c2faf8902016a2620f3d20deddc0a0bf09a0e4a509648f89d1c68
                                        • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                        • Opcode Fuzzy Hash: 180b0dffe35c2faf8902016a2620f3d20deddc0a0bf09a0e4a509648f89d1c68
                                        • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                        Function 00410F36 Relevance: 35.2, APIs: 7, Strings: 13, Instructions: 238threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                          • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                          • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                          • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                        • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                        • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                          • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                          • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                          • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                        • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                        • String ID: 0DG$Remcos restarted by watchdog!$TTF$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                        • API String ID: 65172268-329858390
                                        • Opcode ID: 4cccae15825dc70b76dd6ee67fc2b5fb9e7f44ababb4c16bd64d45af9b536c5f
                                        • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                        • Opcode Fuzzy Hash: 4cccae15825dc70b76dd6ee67fc2b5fb9e7f44ababb4c16bd64d45af9b536c5f
                                        • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                        Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                        • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                        • FindClose.KERNEL32(00000000), ref: 0040B517
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$CloseFile$FirstNext
                                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                        • API String ID: 1164774033-3681987949
                                        • Opcode ID: a4996ac1e9b4f4ffa266264a38f746317b28c3497de92ba34fbaa2ec49a533d0
                                        • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                        • Opcode Fuzzy Hash: a4996ac1e9b4f4ffa266264a38f746317b28c3497de92ba34fbaa2ec49a533d0
                                        • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                        Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                        • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                        • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                        • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$Close$File$FirstNext
                                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                        • API String ID: 3527384056-432212279
                                        • Opcode ID: 3552012fe5b676e98095ce79675c5a1c05ebb643c23daa3b661334b35e5033d9
                                        • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                        • Opcode Fuzzy Hash: 3552012fe5b676e98095ce79675c5a1c05ebb643c23daa3b661334b35e5033d9
                                        • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                        Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                        • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                          • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                          • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                          • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                        • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                        • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                        • API String ID: 726551946-3025026198
                                        • Opcode ID: 72bb61d7f313816b64ffb61e0d931205bd1673005f3e324f3ab0ee563151fb15
                                        • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                        • Opcode Fuzzy Hash: 72bb61d7f313816b64ffb61e0d931205bd1673005f3e324f3ab0ee563151fb15
                                        • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                        Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32 ref: 004159C7
                                        • EmptyClipboard.USER32 ref: 004159D5
                                        • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                        • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                        • CloseClipboard.USER32 ref: 00415A5A
                                        • OpenClipboard.USER32 ref: 00415A61
                                        • GetClipboardData.USER32(0000000D), ref: 00415A71
                                        • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                        • CloseClipboard.USER32 ref: 00415A89
                                          • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                        • String ID:
                                        • API String ID: 3520204547-0
                                        • Opcode ID: 122f3309fb91a6f9f31196cc779c7eb69f0c2123585f080098751be3610840cc
                                        • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                        • Opcode Fuzzy Hash: 122f3309fb91a6f9f31196cc779c7eb69f0c2123585f080098751be3610840cc
                                        • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                        Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 0$1$2$3$4$5$6$7
                                        • API String ID: 0-3177665633
                                        • Opcode ID: f8af07fa47c58c456c71caf90e41cb852091bf7478b48f1c56509a0c55dbd029
                                        • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                        • Opcode Fuzzy Hash: f8af07fa47c58c456c71caf90e41cb852091bf7478b48f1c56509a0c55dbd029
                                        • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                        Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32 ref: 00409B3F
                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                        • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                        • GetKeyState.USER32(00000010), ref: 00409B5C
                                        • GetKeyboardState.USER32(?), ref: 00409B67
                                        • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                        • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                        • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                        • String ID: 8[G
                                        • API String ID: 1888522110-1691237782
                                        • Opcode ID: 3e4cd20e139c82d1a9a354c0cd804b45f3e7cb2135d7d20bc0d0fffe1111d1b9
                                        • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                        • Opcode Fuzzy Hash: 3e4cd20e139c82d1a9a354c0cd804b45f3e7cb2135d7d20bc0d0fffe1111d1b9
                                        • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                        Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 00406788
                                        • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Object_wcslen
                                        • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                        • API String ID: 240030777-3166923314
                                        • Opcode ID: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                        • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                        • Opcode Fuzzy Hash: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                        • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                        Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                        • GetLastError.KERNEL32 ref: 00419935
                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                        • String ID:
                                        • API String ID: 3587775597-0
                                        • Opcode ID: cbb4319f4ea4d4597f1e30bd7914a7df107bdaf14578ca57a6b92482c719bea5
                                        • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                        • Opcode Fuzzy Hash: cbb4319f4ea4d4597f1e30bd7914a7df107bdaf14578ca57a6b92482c719bea5
                                        • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                        Function 004513B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                        • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                                        • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                        • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                        • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                        • String ID: <D$<D$<D
                                        • API String ID: 745075371-3495170934
                                        • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                        • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                        • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                        • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                        Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B529
                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B536
                                          • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                        • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B570
                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B583
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                        • String ID:
                                        • API String ID: 2341273852-0
                                        • Opcode ID: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                        • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                        • Opcode Fuzzy Hash: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                        • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                        Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                        • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                          • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Find$CreateFirstNext
                                        • String ID: @CG$XCG$`HG$`HG$>G
                                        • API String ID: 341183262-3780268858
                                        • Opcode ID: 2947025bd2a61e2dfa8065b5d62c799b28e36e91de5633d65c71786c44bdc3ee
                                        • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                        • Opcode Fuzzy Hash: 2947025bd2a61e2dfa8065b5d62c799b28e36e91de5633d65c71786c44bdc3ee
                                        • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                        Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                        • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                        • GetLastError.KERNEL32 ref: 00409A1B
                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                        • TranslateMessage.USER32(?), ref: 00409A7A
                                        • DispatchMessageA.USER32(?), ref: 00409A85
                                        Strings
                                        • Keylogger initialization failure: error , xrefs: 00409A32
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                        • String ID: Keylogger initialization failure: error
                                        • API String ID: 3219506041-952744263
                                        • Opcode ID: 3994c632d31c6ae9a816ab86879254d3be00c1cea59258772773e56c80d9ec85
                                        • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                        • Opcode Fuzzy Hash: 3994c632d31c6ae9a816ab86879254d3be00c1cea59258772773e56c80d9ec85
                                        • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                        Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041301A
                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00413026
                                          • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                        • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                        • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressCloseCreateLibraryLoadProcsend
                                        • String ID: SHDeleteKeyW$Shlwapi.dll
                                        • API String ID: 2127411465-314212984
                                        • Opcode ID: c418ede76653c709927f706e630e85e3a06e156c32e9baf777584018349cc5ac
                                        • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                        • Opcode Fuzzy Hash: c418ede76653c709927f706e630e85e3a06e156c32e9baf777584018349cc5ac
                                        • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                        Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                        • GetLastError.KERNEL32 ref: 0040B261
                                        Strings
                                        • [Chrome StoredLogins not found], xrefs: 0040B27B
                                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                        • UserProfile, xrefs: 0040B227
                                        • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteErrorFileLast
                                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                        • API String ID: 2018770650-1062637481
                                        • Opcode ID: 4cd32df34f682fcf287b1bbdb8b1e04e90f5886a02fc20745afa94da3ae3815b
                                        • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                        • Opcode Fuzzy Hash: 4cd32df34f682fcf287b1bbdb8b1e04e90f5886a02fc20745afa94da3ae3815b
                                        • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                        Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                        • GetLastError.KERNEL32 ref: 00416B02
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                        • String ID: SeShutdownPrivilege
                                        • API String ID: 3534403312-3733053543
                                        • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                        • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                        • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                        • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                        Function 00452F00 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __floor_pentium4
                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                        • API String ID: 4168288129-2761157908
                                        • Opcode ID: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                        • Instruction ID: 57cc16b57fb9b80973019f24a4c29afa226e887048a240d5689d112d8919aadd
                                        • Opcode Fuzzy Hash: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                        • Instruction Fuzzy Hash: 08C26F72D046288FDB25CE28DD407EAB7B5EB44346F1441EBD84DE7242E778AE898F44
                                        Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 004089AE
                                          • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                          • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                          • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000304,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                          • Part of subcall function 00404468: SetEvent.KERNEL32(00000304,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                          • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                          • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                          • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                          • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                        • String ID:
                                        • API String ID: 4043647387-0
                                        • Opcode ID: 4a94e122f6d42161369300e83af466806a1dcb0dec3cc6991841d79dcc0bd999
                                        • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                        • Opcode Fuzzy Hash: 4a94e122f6d42161369300e83af466806a1dcb0dec3cc6991841d79dcc0bd999
                                        • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                        Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ManagerStart
                                        • String ID:
                                        • API String ID: 276877138-0
                                        • Opcode ID: 50d0eb20569f235c126f5a3ccb9fed10f2149612a0ffcc28dffb27fdb097a1eb
                                        • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                        • Opcode Fuzzy Hash: 50d0eb20569f235c126f5a3ccb9fed10f2149612a0ffcc28dffb27fdb097a1eb
                                        • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                        Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                          • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                          • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                          • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                          • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                        • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                        • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                        • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                        • String ID: PowrProf.dll$SetSuspendState
                                        • API String ID: 1589313981-1420736420
                                        • Opcode ID: 24b9d5b97b4806bc27070f5e9ed0cfc4c326b2396989710b1809eee22d884dc4
                                        • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                        • Opcode Fuzzy Hash: 24b9d5b97b4806bc27070f5e9ed0cfc4c326b2396989710b1809eee22d884dc4
                                        • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                        Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                                        • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID: ACP$OCP
                                        • API String ID: 2299586839-711371036
                                        • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                        • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                        • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                        • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                        Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                        Download Yara Rule
                                        APIs
                                        • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                        • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                        • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                        • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Resource$FindLoadLockSizeof
                                        • String ID: SETTINGS
                                        • API String ID: 3473537107-594951305
                                        • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                        • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                        • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                        • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                        Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00407A91
                                        • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstH_prologNext
                                        • String ID:
                                        • API String ID: 1157919129-0
                                        • Opcode ID: 74c7a3d9ca93817dd0f4d29f62b7968c68fe08620ba7641fed3205ed6a11647e
                                        • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                        • Opcode Fuzzy Hash: 74c7a3d9ca93817dd0f4d29f62b7968c68fe08620ba7641fed3205ed6a11647e
                                        • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                        Function 0044800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                        • _free.LIBCMT ref: 00448067
                                          • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                        • _free.LIBCMT ref: 00448233
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                        • String ID:
                                        • API String ID: 1286116820-0
                                        • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                        • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                                        • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                        • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                                        Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                        Strings
                                        • open, xrefs: 0040622E
                                        • C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, xrefs: 0040627F, 004063A7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DownloadExecuteFileShell
                                        • String ID: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe$open
                                        • API String ID: 2825088817-393500926
                                        • Opcode ID: 7da1f6cccdde44d72958939e91ac4be7719b4504f86ce03292cf543350bb350b
                                        • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                        • Opcode Fuzzy Hash: 7da1f6cccdde44d72958939e91ac4be7719b4504f86ce03292cf543350bb350b
                                        • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                        Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                        • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                          • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileFind$FirstNextsend
                                        • String ID: x@G$x@G
                                        • API String ID: 4113138495-3390264752
                                        • Opcode ID: f251048bb5cc1a822958769637d75a796964b7419d25e497b237ac03a8ea2824
                                        • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                        • Opcode Fuzzy Hash: f251048bb5cc1a822958769637d75a796964b7419d25e497b237ac03a8ea2824
                                        • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                        Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                          • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                          • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                          • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateInfoParametersSystemValue
                                        • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                        • API String ID: 4127273184-3576401099
                                        • Opcode ID: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                        • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                        • Opcode Fuzzy Hash: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                        • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                        Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                                        • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                        • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                        • String ID:
                                        • API String ID: 4212172061-0
                                        • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                        • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                        • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                        • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                        Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00408DAC
                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileFind$FirstH_prologNext
                                        • String ID:
                                        • API String ID: 301083792-0
                                        • Opcode ID: 9ef7f67c09eac4771fbce3f25707dc6b3c0dfc8f53feb8e58747091a1ae982eb
                                        • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                        • Opcode Fuzzy Hash: 9ef7f67c09eac4771fbce3f25707dc6b3c0dfc8f53feb8e58747091a1ae982eb
                                        • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                        Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorInfoLastLocale$_free$_abort
                                        • String ID:
                                        • API String ID: 2829624132-0
                                        • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                        • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                        • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                        • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                        Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0043A755
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0043A75F
                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0043A76C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                        • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                        • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                        • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                        Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(?,?,0044252A,?), ref: 00442575
                                        • TerminateProcess.KERNEL32(00000000,?,0044252A,?), ref: 0044257C
                                        • ExitProcess.KERNEL32 ref: 0044258E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                        • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                        • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                        • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                        Function 0041ACC1 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150C3,00000000), ref: 0041ACCC
                                        • NtSuspendProcess.NTDLL(00000000), ref: 0041ACD9
                                        • CloseHandle.KERNEL32(00000000,?,?,004150C3,00000000), ref: 0041ACE2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseHandleOpenSuspend
                                        • String ID:
                                        • API String ID: 1999457699-0
                                        • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                        • Instruction ID: f0940f0a464cb9da12e036c8bcda16370f3965740af83b573a45ae51f9acba0f
                                        • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                        • Instruction Fuzzy Hash: E7D0A733605131638221176A7C0CC87EE6CDFC1EB37024136F404C3220DA30C84186F4
                                        Function 0041ACED Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150E8,00000000), ref: 0041ACF8
                                        • NtResumeProcess.NTDLL(00000000), ref: 0041AD05
                                        • CloseHandle.KERNEL32(00000000,?,?,004150E8,00000000), ref: 0041AD0E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseHandleOpenResume
                                        • String ID:
                                        • API String ID: 3614150671-0
                                        • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                        • Instruction ID: b64f47c6af987b25b68fadd97e6a7e629856a7b738c344dffca8a71896aa998e
                                        • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                        • Instruction Fuzzy Hash: DFD0A733504132638220176A7C0CC87EDADDFC5EB37024236F404C3621DA34C841C6F4
                                        Function 0044D5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: .
                                        • API String ID: 0-248832578
                                        • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                        • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                                        • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                        • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                                        Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                        • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                        • String ID: <D
                                        • API String ID: 1084509184-3866323178
                                        • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                        • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                        • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                        • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                        Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                        • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                        • String ID: <D
                                        • API String ID: 1084509184-3866323178
                                        • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                        • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                        • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                        • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                        Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InfoLocale
                                        • String ID: GetLocaleInfoEx
                                        • API String ID: 2299586839-2904428671
                                        • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                        • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                        • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                        • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                        Function 00440E20 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                        • Instruction ID: cffdc6bb8eb20f5336ace8b102e865ec7dcfb2cf624fb46ac032ba80a60d6a90
                                        • Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                        • Instruction Fuzzy Hash: 8A024C71E002199BEF14CFA9C9806AEBBF1FF88314F25826AD919E7350D735AD45CB84
                                        Function 004520D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004520CD,?,?,00000008,?,?,00455412,00000000), ref: 004522FF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionRaise
                                        • String ID:
                                        • API String ID: 3997070919-0
                                        • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                        • Instruction ID: 47108b7899804ebb5d40a9255b8f0d240b678f8396b787326aeb691ef157153f
                                        • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                        • Instruction Fuzzy Hash: C0B18F351106089FD715CF28C586B567BE0FF06325F29869AEC99CF3A2C379E986CB44
                                        Function 00432A49 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 0
                                        • API String ID: 0-4108050209
                                        • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                        • Instruction ID: f72c02501a8b687524d4eed2bba9748ce27a8789a4669d3223b659a6f876a8a8
                                        • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                        • Instruction Fuzzy Hash: 8002B3727083004BD714DF39D95272EF3E2AFCC758F15492EF499AB391DA78A8058A4A
                                        Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$_free$InfoLocale_abort
                                        • String ID:
                                        • API String ID: 1663032902-0
                                        • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                        • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                        • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                        • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                        Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                        • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$InfoLocale_abort_free
                                        • String ID:
                                        • API String ID: 2692324296-0
                                        • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                        • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                        • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                        • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                        Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(?,?,0044225B,00000000,0046DAC0,0000000C,00442216,?,?,?,00448739,?,?,00446F74,00000001,00000364), ref: 00444ADB
                                        • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalEnterEnumLocalesSectionSystem
                                        • String ID:
                                        • API String ID: 1272433827-0
                                        • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                        • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                        • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                        • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                        Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                        • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                        • String ID:
                                        • API String ID: 1084509184-0
                                        • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                        • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                        • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                        • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                        Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                        • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                        • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                        • Instruction Fuzzy Hash:
                                        Function 0043CE3B Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: BG3i@
                                        • API String ID: 0-2407888476
                                        • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                        • Instruction ID: a817909710d0090f483bb13cdd1d1ee80d6dfae79024daed79820ace932836b2
                                        • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                        • Instruction Fuzzy Hash: E361777160070966DA385A2858D6BBF6396EB0DB04F10391BE943FF3C1D61DAD43874E
                                        Function 0043CC0C Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 0
                                        • API String ID: 0-4108050209
                                        • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                        • Instruction ID: e47b97b21f836cd03f295ee90de6feb37cae4df0254a032430ab3cefd666e269
                                        • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                        • Instruction Fuzzy Hash: C851AC3160070457DF388A6985DA7BF6B959B0E700F18352FE48AFB382C60DED02979E
                                        Function 00426E73 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: @
                                        • API String ID: 0-2766056989
                                        • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                        • Instruction ID: 4dd25ef8aece06dcbd44762d080e1d81d96ea4c89eb3931c7e752ffea448aa68
                                        • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                        • Instruction Fuzzy Hash: 99417576A083158FC314CE29D18021BFBE1FBC8300F568A2EF99693350D679E980CB86
                                        Function 00437150 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: >G
                                        • API String ID: 0-1296849874
                                        • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                        • Instruction ID: d77b428d8deff70f46db9a150fef47e19855adfe796a652afc1ecdf390514463
                                        • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                        • Instruction Fuzzy Hash: D1110BF724C18143EE74862DD8B46B7A795EACE320F2C636BD0C14B758D52A99459908
                                        Function 0044E92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: HeapProcess
                                        • String ID:
                                        • API String ID: 54951025-0
                                        • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                        • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                        • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                        • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                        Function 0044C739 Relevance: .6, Instructions: 637COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                        • Instruction ID: 1fbb2d6a6e610910e1865e113166bba559d0ad1400e2c5ed2b94208389d41108
                                        • Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                        • Instruction Fuzzy Hash: 4E323621D2AF014DE7639634C862336A649AFB73C5F19D737F81AB5AA6EB2CC4C34105
                                        Function 0041E5DF Relevance: .6, Instructions: 606COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                        • Instruction ID: 2a34495ee4f42e5442afe8381c33b9994a027dd0bc8bc0cc3fe6fc4803c66e78
                                        • Opcode Fuzzy Hash: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                        • Instruction Fuzzy Hash: 9732C1796087469BD714DF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A
                                        Function 004267CB Relevance: .4, Instructions: 437COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                        • Instruction ID: 022d1978040d43b7ea9bbfc0a41ffb8b00617051ae00cac38c3f572af68edcce
                                        • Opcode Fuzzy Hash: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                        • Instruction Fuzzy Hash: 0D028F717046518FD318CF2EE880536B7E1AF8E301B46863EE585C7395EB74E922CB95
                                        Function 00426254 Relevance: .4, Instructions: 377COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                        • Instruction ID: dd4ce2a6fae4266494c2f053a510589cf36d02151b1693af83bcfdcd1697f2cb
                                        • Opcode Fuzzy Hash: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                        • Instruction Fuzzy Hash: 55F13B716142548FC314DF1DE89187BB3E0EB8A301B460A2EF5C2D7392DB78E91ADB56
                                        Function 00431377 Relevance: .4, Instructions: 371COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                        • Instruction ID: a134442df30985c3d9ded0ed06b90328dea8838589cb671b1bd0994677c35241
                                        • Opcode Fuzzy Hash: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                        • Instruction Fuzzy Hash: 60D1A171A083158BC721DE29C88096FB7E4FFD8354F446A2EF88597361EB38DD058B86
                                        Function 0041D071 Relevance: .3, Instructions: 276COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                        • Instruction ID: 86422b113df266cbb8d28aa4d41e6099a1760efb4c6ea83322c03ecd969c618c
                                        • Opcode Fuzzy Hash: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                        • Instruction Fuzzy Hash: 46B1817951429A8ACB05EF28C4913F63BA1EF6A300F4851B9EC9CCF757D3399506EB24
                                        Function 00436A8D Relevance: .3, Instructions: 254COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                        • Instruction ID: c2ccfb52f11e3b3b259396a7657262a28929e77abe156aeb413db61674ad6f9a
                                        • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                        • Instruction Fuzzy Hash: EB91C8722080A319DB2D463E847403FFFE19A563A1B1BA79FD4F2CB2C5EE18D564D624
                                        Function 00436D48 Relevance: .2, Instructions: 244COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                        • Instruction ID: 4bc7a19b78b3923bd294324807b23a5e70e392b11aa895e474023c0768c286cc
                                        • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                        • Instruction Fuzzy Hash: 1C91B6762080A35ADB2D463AC43403FFFE15A563A1B1B979FD4F2CB2C5EE18C568D624
                                        Function 004367C6 Relevance: .2, Instructions: 240COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                        • Instruction ID: 8cd81e8b6c8cb135a2d00aee0b4681899237c427d703fcd1ed6b13232f465ad6
                                        • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                        • Instruction Fuzzy Hash: 439195722090A35ADB2D463D843403FFFE15E5A3A1B1B979FD4F2CB2C5EE28C5649624
                                        Function 0043D098 Relevance: .2, Instructions: 237COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                        • Instruction ID: 3f92c48b0efc6548e9d2ace3e3fdbc0fca8b075b553eb95927f683fa27391a83
                                        • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                        • Instruction Fuzzy Hash: A4613471E0070867DE385928B896BBF23A8AB0D708F24755BE942DB381D65DDD43C24E
                                        Function 0043651C Relevance: .2, Instructions: 232COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                        • Instruction ID: b40c52ae0115b4061fe2d1036eda9829452ee7622c5651f608d151b30f65a328
                                        • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                        • Instruction Fuzzy Hash: B081C4722090A319DB2D463E843403FFFE15A563A5B1BA7AFD4F2CB2C5EE18C5649624
                                        Function 0043C9DD Relevance: .2, Instructions: 214COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                        • Instruction ID: 61f6cd4e2a94a36a6652522188f48ed2bcd63c305fdb574287b7df62abf21a4e
                                        • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                        • Instruction Fuzzy Hash: BB51677170460D9BDB34E96894E77BFA3899B0E344F18350BD882B7382D60CED02939E
                                        Function 00426FAD Relevance: .2, Instructions: 186COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                        • Instruction ID: 42e819d74c2f676ea4fb49a2469d6a41ac5eaf2d1859dcf64078451750f97267
                                        • Opcode Fuzzy Hash: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                        • Instruction Fuzzy Hash: 49614E32A083119FC308DF35E581A5BB7E5FFDC718F550E1EF48996151E674EA088B8A
                                        Function 00417F9F Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324windowmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                        • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                          • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                        • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                        • DeleteDC.GDI32(?), ref: 0041805D
                                        • DeleteDC.GDI32(00000000), ref: 00418060
                                        • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                        • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                        • GetCursorInfo.USER32(?), ref: 004180B5
                                        • GetIconInfo.USER32(?,?), ref: 004180CB
                                        • DeleteObject.GDI32(?), ref: 004180FA
                                        • DeleteObject.GDI32(?), ref: 00418107
                                        • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                        • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                        • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                        • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                        • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                        • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                        • DeleteDC.GDI32(?), ref: 0041827F
                                        • DeleteDC.GDI32(00000000), ref: 00418282
                                        • DeleteObject.GDI32(00000000), ref: 00418285
                                        • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                        • DeleteObject.GDI32(00000000), ref: 00418344
                                        • GlobalFree.KERNEL32(?), ref: 0041834B
                                        • DeleteDC.GDI32(?), ref: 0041835B
                                        • DeleteDC.GDI32(00000000), ref: 00418366
                                        • DeleteDC.GDI32(?), ref: 00418398
                                        • DeleteDC.GDI32(00000000), ref: 0041839B
                                        • DeleteObject.GDI32(?), ref: 004183A1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                        • String ID: DISPLAY
                                        • API String ID: 1352755160-865373369
                                        • Opcode ID: 16a0d11679a1ebe6704ae5568e7a8bf44ac57976069e66fbaae54b758de84d54
                                        • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                        • Opcode Fuzzy Hash: 16a0d11679a1ebe6704ae5568e7a8bf44ac57976069e66fbaae54b758de84d54
                                        • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                        Function 00417245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                        • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                        • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                        • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                        • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                        • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                        • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                        • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                        • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                        • ResumeThread.KERNEL32(?), ref: 00417582
                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                        • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                        • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                        • GetLastError.KERNEL32 ref: 004175C7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                        • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                        • API String ID: 4188446516-3035715614
                                        • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                        • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                        • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                        • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                        Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                        • ExitProcess.KERNEL32 ref: 0041151D
                                          • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                          • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                          • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                          • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                        • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                          • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                          • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                          • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                        • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                        • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                        • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                          • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5EB
                                          • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B5FF
                                          • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000), ref: 0041B60C
                                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                        • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                        • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                          • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                        • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                        • API String ID: 4250697656-2665858469
                                        • Opcode ID: 197af66009191922f4e5756cbe13be0694456b58e8e0c6d34c19e14a4caca06f
                                        • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                        • Opcode Fuzzy Hash: 197af66009191922f4e5756cbe13be0694456b58e8e0c6d34c19e14a4caca06f
                                        • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                        Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                          • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                          • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                          • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                        • ExitProcess.KERNEL32 ref: 0040C63E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                        • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                        • API String ID: 1861856835-3168347843
                                        • Opcode ID: a0f600f49bf3dc62deacadc195efdc112691502130aed94f63629ad2c38e38da
                                        • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                                        • Opcode Fuzzy Hash: a0f600f49bf3dc62deacadc195efdc112691502130aed94f63629ad2c38e38da
                                        • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                                        Function 0041A1BB Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 180synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                        • SetEvent.KERNEL32 ref: 0041A38A
                                        • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                        • CloseHandle.KERNEL32 ref: 0041A3AB
                                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                        • String ID: alias audio$" type $TUF$close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                        • API String ID: 738084811-2745919808
                                        • Opcode ID: 810376fcdaecadbfb131173cdab6a4f5e15c4c452d4ba00e07f603e1956c07fc
                                        • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                        • Opcode Fuzzy Hash: 810376fcdaecadbfb131173cdab6a4f5e15c4c452d4ba00e07f603e1956c07fc
                                        • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                        Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                          • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                          • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                          • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                          • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                        • ExitProcess.KERNEL32 ref: 0040C287
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                        • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                        • API String ID: 3797177996-1998216422
                                        • Opcode ID: 0c3e3fb12e1e78eeecfa7395702524672bc789d0f69b8a889a64c952b28f46cc
                                        • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                        • Opcode Fuzzy Hash: 0c3e3fb12e1e78eeecfa7395702524672bc789d0f69b8a889a64c952b28f46cc
                                        • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                        Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                        • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                        • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                        • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                        • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                        • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                        • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Write$Create
                                        • String ID: RIFF$WAVE$data$fmt
                                        • API String ID: 1602526932-4212202414
                                        • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                        • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                        • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                        • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                        Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe,00000001,004068B2,C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                        • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                        • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                        • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                        • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                        • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                        • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressHandleModuleProc
                                        • String ID: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                        • API String ID: 1646373207-709635726
                                        • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                        • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                        • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                        • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                        Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _wcslen.LIBCMT ref: 0040BC75
                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                        • _wcslen.LIBCMT ref: 0040BD54
                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe,00000000,00000000), ref: 0040BDF2
                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                        • _wcslen.LIBCMT ref: 0040BE34
                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                        • ExitProcess.KERNEL32 ref: 0040BED0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                        • String ID: 6$C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe$del$open$BG$BG
                                        • API String ID: 1579085052-2139743889
                                        • Opcode ID: 92dd1da1de273576c83b5ac1e26fccc905b176af94512c139e792b12d84d09d2
                                        • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                        • Opcode Fuzzy Hash: 92dd1da1de273576c83b5ac1e26fccc905b176af94512c139e792b12d84d09d2
                                        • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                        Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                        • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                        • lstrlenW.KERNEL32(?), ref: 0041B207
                                        • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                        • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                        • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                        • _wcslen.LIBCMT ref: 0041B2DB
                                        • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                        • GetLastError.KERNEL32 ref: 0041B313
                                        • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                        • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                        • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                        • GetLastError.KERNEL32 ref: 0041B370
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                        • String ID: ?
                                        • API String ID: 3941738427-1684325040
                                        • Opcode ID: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                        • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                        • Opcode Fuzzy Hash: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                        • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                        Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$EnvironmentVariable$_wcschr
                                        • String ID:
                                        • API String ID: 3899193279-0
                                        • Opcode ID: c10670a696248be885c2c5ddf478444a83bcb0538a8bf01727ad035a034c0f59
                                        • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                        • Opcode Fuzzy Hash: c10670a696248be885c2c5ddf478444a83bcb0538a8bf01727ad035a034c0f59
                                        • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                        Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                          • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                        • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                        • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                        • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                        • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                        • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                        • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                        • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                        • Sleep.KERNEL32(00000064), ref: 00412060
                                          • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                        • String ID: /stext "$HDG$HDG$>G$>G
                                        • API String ID: 1223786279-3931108886
                                        • Opcode ID: 4d2eae68b429e2c3cdd353d4b83499003f762b4b99ca305740913be3e2b9028f
                                        • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                        • Opcode Fuzzy Hash: 4d2eae68b429e2c3cdd353d4b83499003f762b4b99ca305740913be3e2b9028f
                                        • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                        Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                        • GetCursorPos.USER32(?), ref: 0041CAF8
                                        • SetForegroundWindow.USER32(?), ref: 0041CB01
                                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                        • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                        • ExitProcess.KERNEL32 ref: 0041CB74
                                        • CreatePopupMenu.USER32 ref: 0041CB7A
                                        • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                        • String ID: Close
                                        • API String ID: 1657328048-3535843008
                                        • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                        • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                        • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                        • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                        Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$Info
                                        • String ID:
                                        • API String ID: 2509303402-0
                                        • Opcode ID: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                        • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                        • Opcode Fuzzy Hash: 4f311dc35998d231116b4ef065710eb7bf66da857f64ae236b680615c36f9f73
                                        • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                        Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                        • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                        • __aulldiv.LIBCMT ref: 00407FE9
                                        • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                        • CloseHandle.KERNEL32(00000000), ref: 00408200
                                        • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                        • CloseHandle.KERNEL32(00000000), ref: 00408256
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                        • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                        • API String ID: 1884690901-3066803209
                                        • Opcode ID: 1a1a22910855430f8575f8b3773a678de9066c749bf7f37557f66234b9a0df36
                                        • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                        • Opcode Fuzzy Hash: 1a1a22910855430f8575f8b3773a678de9066c749bf7f37557f66234b9a0df36
                                        • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                        Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNEL32(00001388), ref: 00409E62
                                          • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                          • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                          • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                          • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                        • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                          • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                        • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                        • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                        • API String ID: 3795512280-3163867910
                                        • Opcode ID: 5e646024beb351a6a24f993b886ad1ef68ac9312b28886c6e12ef64d8e8c8feb
                                        • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                        • Opcode Fuzzy Hash: 5e646024beb351a6a24f993b886ad1ef68ac9312b28886c6e12ef64d8e8c8feb
                                        • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                        Function 00413E37 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                        • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                        • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                        • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                        • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                        • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                        • String ID: \ws2_32$\wship6$getaddrinfo
                                        • API String ID: 2490988753-3078833738
                                        • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                        • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                        • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                        • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                        Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___free_lconv_mon.LIBCMT ref: 004500B1
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                          • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                        • _free.LIBCMT ref: 004500A6
                                          • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                        • _free.LIBCMT ref: 004500C8
                                        • _free.LIBCMT ref: 004500DD
                                        • _free.LIBCMT ref: 004500E8
                                        • _free.LIBCMT ref: 0045010A
                                        • _free.LIBCMT ref: 0045011D
                                        • _free.LIBCMT ref: 0045012B
                                        • _free.LIBCMT ref: 00450136
                                        • _free.LIBCMT ref: 0045016E
                                        • _free.LIBCMT ref: 00450175
                                        • _free.LIBCMT ref: 00450192
                                        • _free.LIBCMT ref: 004501AA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                        • String ID:
                                        • API String ID: 161543041-0
                                        • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                        • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                        • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                        • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                        Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0041912D
                                        • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                        • Sleep.KERNEL32(000003E8), ref: 0041926D
                                        • GetLocalTime.KERNEL32(?), ref: 0041927C
                                        • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                        • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                        • API String ID: 489098229-65789007
                                        • Opcode ID: 689577e7f95ccf4fa4131798baf4facb90a00659e9edbe6c99d8646726643ea6
                                        • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                        • Opcode Fuzzy Hash: 689577e7f95ccf4fa4131798baf4facb90a00659e9edbe6c99d8646726643ea6
                                        • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                        Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                          • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                          • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                          • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                          • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                        • ExitProcess.KERNEL32 ref: 0040C832
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                        • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                        • API String ID: 1913171305-390638927
                                        • Opcode ID: d3fa006b60b681a4fe91519223c7cc657c512d94db9bb93783c24a6989ddd1e8
                                        • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                        • Opcode Fuzzy Hash: d3fa006b60b681a4fe91519223c7cc657c512d94db9bb93783c24a6989ddd1e8
                                        • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                        Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                        • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                        • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                        • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                        Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                        • closesocket.WS2_32(000000FF), ref: 0040481F
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                        • String ID:
                                        • API String ID: 3658366068-0
                                        • Opcode ID: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                        • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                        • Opcode Fuzzy Hash: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                        • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                        Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                        • GetLastError.KERNEL32 ref: 00454A96
                                        • __dosmaperr.LIBCMT ref: 00454A9D
                                        • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                        • GetLastError.KERNEL32 ref: 00454AB3
                                        • __dosmaperr.LIBCMT ref: 00454ABC
                                        • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                        • CloseHandle.KERNEL32(?), ref: 00454C26
                                        • GetLastError.KERNEL32 ref: 00454C58
                                        • __dosmaperr.LIBCMT ref: 00454C5F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                        • String ID: H
                                        • API String ID: 4237864984-2852464175
                                        • Opcode ID: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                                        • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                        • Opcode Fuzzy Hash: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                                        • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                        Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __Init_thread_footer.LIBCMT ref: 0040A456
                                        • Sleep.KERNEL32(000001F4), ref: 0040A461
                                        • GetForegroundWindow.USER32 ref: 0040A467
                                        • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                        • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                        • Sleep.KERNEL32(000003E8), ref: 0040A574
                                          • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                        • String ID: [${ User has been idle for $ minutes }$]
                                        • API String ID: 911427763-3954389425
                                        • Opcode ID: 9c950ddbc3248272ccd8ce42d56859830875aa5055a4fb8d48cda04a3a410b4d
                                        • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                        • Opcode Fuzzy Hash: 9c950ddbc3248272ccd8ce42d56859830875aa5055a4fb8d48cda04a3a410b4d
                                        • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                        Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 65535$udp
                                        • API String ID: 0-1267037602
                                        • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                        • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                        • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                        • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                        Function 00416E27 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 107filesynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                        • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                        • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                        • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                          • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                        • String ID: <$@$@FG$@FG$TUF$Temp
                                        • API String ID: 1107811701-4124992407
                                        • Opcode ID: 918f9ad3c6fcb95be27a41be3b0141950ae8e99a3b66b50baca9962067d88df2
                                        • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                        • Opcode Fuzzy Hash: 918f9ad3c6fcb95be27a41be3b0141950ae8e99a3b66b50baca9962067d88df2
                                        • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                        Function 00406616 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 98COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                        • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe), ref: 00406705
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CurrentProcess
                                        • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$pUF$windir$BG3i@
                                        • API String ID: 2050909247-1144799832
                                        • Opcode ID: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                        • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                        • Opcode Fuzzy Hash: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                        • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                        Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                        • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                        • __dosmaperr.LIBCMT ref: 004393CD
                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                        • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                        • __dosmaperr.LIBCMT ref: 0043940A
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                        • __dosmaperr.LIBCMT ref: 0043945E
                                        • _free.LIBCMT ref: 0043946A
                                        • _free.LIBCMT ref: 00439471
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                        • String ID:
                                        • API String ID: 2441525078-0
                                        • Opcode ID: ca7e46f6aab89345aa6e1fd7284ebc531e5fcf117c11a17f076dcd0ca22c6f6e
                                        • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                        • Opcode Fuzzy Hash: ca7e46f6aab89345aa6e1fd7284ebc531e5fcf117c11a17f076dcd0ca22c6f6e
                                        • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                        Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetEvent.KERNEL32(?), ref: 00404E71
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                        • TranslateMessage.USER32(?), ref: 00404F30
                                        • DispatchMessageA.USER32(?), ref: 00404F3B
                                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074), ref: 00404FF3
                                        • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                          • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                        • String ID: CloseChat$DisplayMessage$GetMessage
                                        • API String ID: 2956720200-749203953
                                        • Opcode ID: 205cb7fab5be59415bcf8e4e90c61db227d26d6ec088cf298e9489aff68efbe1
                                        • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                        • Opcode Fuzzy Hash: 205cb7fab5be59415bcf8e4e90c61db227d26d6ec088cf298e9489aff68efbe1
                                        • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                        Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                        • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: 8f568d79055422364b0fc155fd47d6165a7356d41c75c5dcd4a60a29222dfb7a
                                        • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                        • Opcode Fuzzy Hash: 8f568d79055422364b0fc155fd47d6165a7356d41c75c5dcd4a60a29222dfb7a
                                        • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                        Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00446DDF
                                          • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                        • _free.LIBCMT ref: 00446DEB
                                        • _free.LIBCMT ref: 00446DF6
                                        • _free.LIBCMT ref: 00446E01
                                        • _free.LIBCMT ref: 00446E0C
                                        • _free.LIBCMT ref: 00446E17
                                        • _free.LIBCMT ref: 00446E22
                                        • _free.LIBCMT ref: 00446E2D
                                        • _free.LIBCMT ref: 00446E38
                                        • _free.LIBCMT ref: 00446E46
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                        • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                        • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                        • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                        Function 0041B824 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
                                        • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                                        Strings
                                        • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041B83C
                                        • DisplayName, xrefs: 0041B8D1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEnumOpen
                                        • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                        • API String ID: 1332880857-3614651759
                                        • Opcode ID: be487d9418a7434aad95e9825c4fb99dbac0c7fe4d506b3d910b5bf4207956f9
                                        • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                                        • Opcode Fuzzy Hash: be487d9418a7434aad95e9825c4fb99dbac0c7fe4d506b3d910b5bf4207956f9
                                        • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                                        Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Eventinet_ntoa
                                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                        • API String ID: 3578746661-4192532303
                                        • Opcode ID: 9ee93dc8ee8cf9e1d04652534be4f31ca41a8c3636414c83b488a3d0cf647272
                                        • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                        • Opcode Fuzzy Hash: 9ee93dc8ee8cf9e1d04652534be4f31ca41a8c3636414c83b488a3d0cf647272
                                        • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                        Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                          • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                        • Sleep.KERNEL32(00000064), ref: 00416688
                                        • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CreateDeleteExecuteShellSleep
                                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                        • API String ID: 1462127192-2001430897
                                        • Opcode ID: ea2050b98f92ddcea2210cfe2ec6f239cc8a8764180ae9eff2db165a342346c5
                                        • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                        • Opcode Fuzzy Hash: ea2050b98f92ddcea2210cfe2ec6f239cc8a8764180ae9eff2db165a342346c5
                                        • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                        Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                        Download Yara Rule
                                        APIs
                                        • _strftime.LIBCMT ref: 00401AD3
                                          • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                        • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                        • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                        • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                        • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                        • API String ID: 3809562944-3643129801
                                        • Opcode ID: 1ad8f6790ccab606066c39c88497609bcb9bcde964e1e74afe60e33195bdd44c
                                        • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                        • Opcode Fuzzy Hash: 1ad8f6790ccab606066c39c88497609bcb9bcde964e1e74afe60e33195bdd44c
                                        • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                        Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                        • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                        • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                        • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                        • waveInStart.WINMM ref: 00401A81
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                        • String ID: XCG$`=G$x=G
                                        • API String ID: 1356121797-903574159
                                        • Opcode ID: df66b5dce40286873da021395106849cc9c08a1aee5ad096444ea0181d895aab
                                        • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                        • Opcode Fuzzy Hash: df66b5dce40286873da021395106849cc9c08a1aee5ad096444ea0181d895aab
                                        • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                        Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                          • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                          • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                          • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                        • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                        • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                        • TranslateMessage.USER32(?), ref: 0041C9FB
                                        • DispatchMessageA.USER32(?), ref: 0041CA05
                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                        • String ID: Remcos
                                        • API String ID: 1970332568-165870891
                                        • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                        • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                        • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                        • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                        Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fa15d67f6967a0586858809eb4f8addb77c2acfc7eddd8ef9b3342f4efd30537
                                        • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                        • Opcode Fuzzy Hash: fa15d67f6967a0586858809eb4f8addb77c2acfc7eddd8ef9b3342f4efd30537
                                        • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                        Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                                        • __alloca_probe_16.LIBCMT ref: 00452C91
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                                        • __alloca_probe_16.LIBCMT ref: 00452D3B
                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                                        • __freea.LIBCMT ref: 00452DAA
                                        • __freea.LIBCMT ref: 00452DB6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                        • String ID:
                                        • API String ID: 201697637-0
                                        • Opcode ID: 526ec53c1ec1ba6df620155d9200090ddd68624b921cdf3bb5e3273f0fe9ddbf
                                        • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                        • Opcode Fuzzy Hash: 526ec53c1ec1ba6df620155d9200090ddd68624b921cdf3bb5e3273f0fe9ddbf
                                        • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                        Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                          • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                          • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                          • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                        • _memcmp.LIBVCRUNTIME ref: 004446A3
                                        • _free.LIBCMT ref: 00444714
                                        • _free.LIBCMT ref: 0044472D
                                        • _free.LIBCMT ref: 0044475F
                                        • _free.LIBCMT ref: 00444768
                                        • _free.LIBCMT ref: 00444774
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorLast$_abort_memcmp
                                        • String ID: C
                                        • API String ID: 1679612858-1037565863
                                        • Opcode ID: c7250944acb028a08b37f514f4006ded01109975d71aaf2ac6f0fb2cbf4e3e58
                                        • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                        • Opcode Fuzzy Hash: c7250944acb028a08b37f514f4006ded01109975d71aaf2ac6f0fb2cbf4e3e58
                                        • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                        Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: tcp$udp
                                        • API String ID: 0-3725065008
                                        • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                        • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                        • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                        • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                        Function 00401768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ExitThread.KERNEL32 ref: 004017F4
                                          • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                          • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                        • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                          • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                        • __Init_thread_footer.LIBCMT ref: 004017BC
                                          • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                          • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                        • String ID: T=G$p[G$>G$>G
                                        • API String ID: 1596592924-2461731529
                                        • Opcode ID: a2f29d9424a8babc0bc93eebde88bbfb793327dda833f395a31d79b62dc8e31c
                                        • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                        • Opcode Fuzzy Hash: a2f29d9424a8babc0bc93eebde88bbfb793327dda833f395a31d79b62dc8e31c
                                        • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                        Function 00412C88 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                          • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                          • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                          • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                        • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEnumInfoOpenQuerysend
                                        • String ID: TUF$TUFTUF$>G$DG$DG
                                        • API String ID: 3114080316-72097156
                                        • Opcode ID: 89925eaa06154a63bd28424ec2533a02a3176ccc3e7666e0208e9640ada48448
                                        • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                        • Opcode Fuzzy Hash: 89925eaa06154a63bd28424ec2533a02a3176ccc3e7666e0208e9640ada48448
                                        • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                        Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                          • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                        • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                        • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                        • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                          • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                          • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                        • String ID: .part
                                        • API String ID: 1303771098-3499674018
                                        • Opcode ID: 5610bc5f6e39d3a578a479bf42043ce2c794b33f9a6bdb85f7b999220e864034
                                        • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                        • Opcode Fuzzy Hash: 5610bc5f6e39d3a578a479bf42043ce2c794b33f9a6bdb85f7b999220e864034
                                        • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                        Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                          • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                          • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                          • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                          • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                        • _wcslen.LIBCMT ref: 0041A8F6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                        • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                        • API String ID: 3286818993-703403762
                                        • Opcode ID: 3dd2e44a30b9e0726aafea5caaac72e33bd3badc141b86d0a3af8b333098f802
                                        • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                        • Opcode Fuzzy Hash: 3dd2e44a30b9e0726aafea5caaac72e33bd3badc141b86d0a3af8b333098f802
                                        • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                        Function 0040B6EA Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 85COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                          • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                          • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                        • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders$TUF
                                        • API String ID: 1133728706-1738023494
                                        • Opcode ID: 327c319e43ad7a3cb4cdf43db3bd2976db39ed54ac7f628f86969c905a4345a4
                                        • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                        • Opcode Fuzzy Hash: 327c319e43ad7a3cb4cdf43db3bd2976db39ed54ac7f628f86969c905a4345a4
                                        • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                        Function 0041BEB0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                        • GetConsoleWindow.KERNEL32 ref: 0041BEBF
                                        • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                        • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Console$Window$AllocOutputShow
                                        • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                        • API String ID: 4067487056-2527699604
                                        • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                        • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                        • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                        • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                        Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 004499AA
                                        • __alloca_probe_16.LIBCMT ref: 004499E2
                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042CE53,?,?,?,00449BA1,00000001,00000001,?), ref: 00449A30
                                        • __alloca_probe_16.LIBCMT ref: 00449AC7
                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                        • __freea.LIBCMT ref: 00449B37
                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                        • __freea.LIBCMT ref: 00449B40
                                        • __freea.LIBCMT ref: 00449B65
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                        • String ID:
                                        • API String ID: 3864826663-0
                                        • Opcode ID: dc07b2b70d5d15ed1bcd67b1f24feaf136ebd40b623740e78a86a330a3ab3b56
                                        • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                        • Opcode Fuzzy Hash: dc07b2b70d5d15ed1bcd67b1f24feaf136ebd40b623740e78a86a330a3ab3b56
                                        • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                        Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendInput.USER32 ref: 00418B08
                                        • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                        • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                          • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InputSend$Virtual
                                        • String ID:
                                        • API String ID: 1167301434-0
                                        • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                        • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                        • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                        • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                        Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32 ref: 00415A46
                                        • EmptyClipboard.USER32 ref: 00415A54
                                        • CloseClipboard.USER32 ref: 00415A5A
                                        • OpenClipboard.USER32 ref: 00415A61
                                        • GetClipboardData.USER32(0000000D), ref: 00415A71
                                        • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                        • CloseClipboard.USER32 ref: 00415A89
                                          • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                        • String ID:
                                        • API String ID: 2172192267-0
                                        • Opcode ID: 199d2fb84e9c93f6c99a4bd654e75ade8bc32fbc8ce743d4434e304f4d2ee896
                                        • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                        • Opcode Fuzzy Hash: 199d2fb84e9c93f6c99a4bd654e75ade8bc32fbc8ce743d4434e304f4d2ee896
                                        • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                        Function 00447E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00447EBC
                                        • _free.LIBCMT ref: 00447EE0
                                        • _free.LIBCMT ref: 00448067
                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                        • _free.LIBCMT ref: 00448233
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                        • String ID:
                                        • API String ID: 314583886-0
                                        • Opcode ID: d60a6819c104f3b0c2cf78534b6bb765e33df7d330a3257e7f7d04c9b96b8e07
                                        • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                                        • Opcode Fuzzy Hash: d60a6819c104f3b0c2cf78534b6bb765e33df7d330a3257e7f7d04c9b96b8e07
                                        • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                                        Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: 67e449e53c8ad906785535aafbfbe26c0ba071591af106f4c86beb5beaf16e94
                                        • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                        • Opcode Fuzzy Hash: 67e449e53c8ad906785535aafbfbe26c0ba071591af106f4c86beb5beaf16e94
                                        • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                        Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                        • _free.LIBCMT ref: 00444086
                                        • _free.LIBCMT ref: 0044409D
                                        • _free.LIBCMT ref: 004440BC
                                        • _free.LIBCMT ref: 004440D7
                                        • _free.LIBCMT ref: 004440EE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$AllocateHeap
                                        • String ID: J7D
                                        • API String ID: 3033488037-1677391033
                                        • Opcode ID: 8c925fd0856db186306c7281cb720ff9f4ffcac0ad0a05797528cb4255118f5a
                                        • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                        • Opcode Fuzzy Hash: 8c925fd0856db186306c7281cb720ff9f4ffcac0ad0a05797528cb4255118f5a
                                        • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                        Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
                                        • __fassign.LIBCMT ref: 0044A180
                                        • __fassign.LIBCMT ref: 0044A19B
                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                        • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                        • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                        • String ID:
                                        • API String ID: 1324828854-0
                                        • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                        • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                        • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                        • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                        Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID: HE$HE
                                        • API String ID: 269201875-1978648262
                                        • Opcode ID: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                                        • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                        • Opcode Fuzzy Hash: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                                        • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                        Function 0040E6A3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                          • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                        • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                          • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                          • Part of subcall function 0041B187: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1A7
                                          • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                          • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                        • String ID: PgF
                                        • API String ID: 2180151492-654241383
                                        • Opcode ID: c6533c93d0bc9147f3264140fb082861ccc76f74e066daea6e7e8e9f43de9987
                                        • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                        • Opcode Fuzzy Hash: c6533c93d0bc9147f3264140fb082861ccc76f74e066daea6e7e8e9f43de9987
                                        • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                        Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                        Download Yara Rule
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                        • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                        • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 1170836740-1018135373
                                        • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                        • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                        • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                        • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                        Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6057a514b4ba5577cbf71135f50799e40bb9a98b40ca9e941afdb8321a510a32
                                        • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                        • Opcode Fuzzy Hash: 6057a514b4ba5577cbf71135f50799e40bb9a98b40ca9e941afdb8321a510a32
                                        • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                        Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                        • int.LIBCPMT ref: 0040FC0F
                                          • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                          • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                        • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                        • String ID: P[G
                                        • API String ID: 2536120697-571123470
                                        • Opcode ID: 9dc93271d8ca2c5a2fe1f23905a31ea5d19b989abd63f293402e2a51e6b4ac0b
                                        • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                        • Opcode Fuzzy Hash: 9dc93271d8ca2c5a2fe1f23905a31ea5d19b989abd63f293402e2a51e6b4ac0b
                                        • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                        Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                        • _free.LIBCMT ref: 0044FD29
                                          • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                        • _free.LIBCMT ref: 0044FD34
                                        • _free.LIBCMT ref: 0044FD3F
                                        • _free.LIBCMT ref: 0044FD93
                                        • _free.LIBCMT ref: 0044FD9E
                                        • _free.LIBCMT ref: 0044FDA9
                                        • _free.LIBCMT ref: 0044FDB4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                        • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                        • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                        • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                        Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe), ref: 00406835
                                          • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                          • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                        • CoUninitialize.OLE32 ref: 0040688E
                                        Strings
                                        • [+] before ShellExec, xrefs: 00406856
                                        • C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, xrefs: 00406815, 00406818, 0040686A
                                        • [+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
                                        • [+] ShellExec success, xrefs: 00406873
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: InitializeObjectUninitialize_wcslen
                                        • String ID: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                        • API String ID: 3851391207-1235226748
                                        • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                        • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                        • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                        • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                        Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                        • int.LIBCPMT ref: 0040FEF2
                                          • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                          • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                        • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                        • String ID: H]G
                                        • API String ID: 2536120697-1717957184
                                        • Opcode ID: 831260e2e50258e734e800f671c2e221e985db4fe4157639c37b4271b6a7a30d
                                        • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                        • Opcode Fuzzy Hash: 831260e2e50258e734e800f671c2e221e985db4fe4157639c37b4271b6a7a30d
                                        • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                        Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                        • GetLastError.KERNEL32 ref: 0040B2EE
                                        Strings
                                        • [Chrome Cookies not found], xrefs: 0040B308
                                        • UserProfile, xrefs: 0040B2B4
                                        • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteErrorFileLast
                                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                        • API String ID: 2018770650-304995407
                                        • Opcode ID: affce56bb21929d7383bdb2dccb574c79b51b4180e8c74c87d019dc2b0b7a2d9
                                        • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                        • Opcode Fuzzy Hash: affce56bb21929d7383bdb2dccb574c79b51b4180e8c74c87d019dc2b0b7a2d9
                                        • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                        Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                        Download Yara Rule
                                        Strings
                                        • BG, xrefs: 00406909
                                        • Rmc-P8SKN0, xrefs: 0040693F
                                        • C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe, xrefs: 00406927
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe$Rmc-P8SKN0$BG
                                        • API String ID: 0-993487144
                                        • Opcode ID: 51f1828bc25dd4c0d61216237760cedcfa3e45f86a5da5526d20c461b23c031b
                                        • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                        • Opcode Fuzzy Hash: 51f1828bc25dd4c0d61216237760cedcfa3e45f86a5da5526d20c461b23c031b
                                        • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                        Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                        Download Yara Rule
                                        APIs
                                        • __allrem.LIBCMT ref: 00439789
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                        • __allrem.LIBCMT ref: 004397BC
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                        • __allrem.LIBCMT ref: 004397F1
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                        • String ID:
                                        • API String ID: 1992179935-0
                                        • Opcode ID: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                                        • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                        • Opcode Fuzzy Hash: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                                        • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                        Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __cftoe
                                        • String ID:
                                        • API String ID: 4189289331-0
                                        • Opcode ID: 9b2fc1694d82a2623a89bc6481469fa908d9f87ebd85e1474d8b0e6b87dad09b
                                        • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                        • Opcode Fuzzy Hash: 9b2fc1694d82a2623a89bc6481469fa908d9f87ebd85e1474d8b0e6b87dad09b
                                        • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                        Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __freea$__alloca_probe_16
                                        • String ID: a/p$am/pm
                                        • API String ID: 3509577899-3206640213
                                        • Opcode ID: 8deeeeed546ed09e108088d03576c5a7044c08e960b88e6dc0624d4c906a0201
                                        • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                        • Opcode Fuzzy Hash: 8deeeeed546ed09e108088d03576c5a7044c08e960b88e6dc0624d4c906a0201
                                        • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                        Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                        • String ID:
                                        • API String ID: 493672254-0
                                        • Opcode ID: 68f1e835941cc6574ae3172da8245a4dbba7b98562f75027ccb4571b71c43179
                                        • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                        • Opcode Fuzzy Hash: 68f1e835941cc6574ae3172da8245a4dbba7b98562f75027ccb4571b71c43179
                                        • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                        Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                        • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLastValue___vcrt_
                                        • String ID:
                                        • API String ID: 3852720340-0
                                        • Opcode ID: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                        • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                        • Opcode Fuzzy Hash: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                        • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                        Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(?,?,0043931C,?,?,?,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B), ref: 00446EC3
                                        • _free.LIBCMT ref: 00446EF6
                                        • _free.LIBCMT ref: 00446F1E
                                        • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F2B
                                        • SetLastError.KERNEL32(00000000,0043E4CD,?,?,?,?,00000000,?,?,0042CE53,0000003B,?,00000041,00000000,00000000), ref: 00446F37
                                        • _abort.LIBCMT ref: 00446F3D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$_free$_abort
                                        • String ID:
                                        • API String ID: 3160817290-0
                                        • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                        • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                        • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                        • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                        Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: cb23a265b501da1ed9a271a63ec08baaa1bf9c1cf5a7cec22900b30d8e19d8fa
                                        • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                        • Opcode Fuzzy Hash: cb23a265b501da1ed9a271a63ec08baaa1bf9c1cf5a7cec22900b30d8e19d8fa
                                        • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                        Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: 87463e1bdf8bb651a0013945517c704a9b2de3a64a82b3cc186aeafb224c7010
                                        • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                        • Opcode Fuzzy Hash: 87463e1bdf8bb651a0013945517c704a9b2de3a64a82b3cc186aeafb224c7010
                                        • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                        Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Service$CloseHandle$Open$ControlManager
                                        • String ID:
                                        • API String ID: 221034970-0
                                        • Opcode ID: ab1a1cc1830ffa19df902a2de4304976c1de8e56a3f0d841ebfd0113734f6356
                                        • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                        • Opcode Fuzzy Hash: ab1a1cc1830ffa19df902a2de4304976c1de8e56a3f0d841ebfd0113734f6356
                                        • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                        Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                        • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Enum$InfoQueryValue
                                        • String ID: [regsplt]$DG
                                        • API String ID: 3554306468-1089238109
                                        • Opcode ID: f848460f52508067e72b9a5b60f4bdec59c2ac818a8035bb264c1edef98a79c3
                                        • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                        • Opcode Fuzzy Hash: f848460f52508067e72b9a5b60f4bdec59c2ac818a8035bb264c1edef98a79c3
                                        • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                        Function 004426D4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe,00000104), ref: 00442714
                                        • _free.LIBCMT ref: 004427DF
                                        • _free.LIBCMT ref: 004427E9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$FileModuleName
                                        • String ID: 8(\$C:\Users\user\Desktop\17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exe
                                        • API String ID: 2506810119-677269785
                                        • Opcode ID: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                                        • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                        • Opcode Fuzzy Hash: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                                        • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                        Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                          • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                          • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                        • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                          • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                          • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                        • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                        • API String ID: 2974294136-753205382
                                        • Opcode ID: 08e2c2b1808dfe6b9784c8c9f12b4a296d3d9bfbc1b05b3c20a748118c55d99c
                                        • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                        • Opcode Fuzzy Hash: 08e2c2b1808dfe6b9784c8c9f12b4a296d3d9bfbc1b05b3c20a748118c55d99c
                                        • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                        Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                        • wsprintfW.USER32 ref: 0040A905
                                          • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: EventLocalTimewsprintf
                                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                        • API String ID: 1497725170-248792730
                                        • Opcode ID: 0acfec947856b69bf132d91d358ab5bc594aef04b3e24661333035c5e4e38810
                                        • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                        • Opcode Fuzzy Hash: 0acfec947856b69bf132d91d358ab5bc594aef04b3e24661333035c5e4e38810
                                        • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                        Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                        • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                        • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleSizeSleep
                                        • String ID: `AG
                                        • API String ID: 1958988193-3058481221
                                        • Opcode ID: 4ebf0acc99a1bd76ecb676338ad5ca66b749e389f9c6bdc81adf82034e374675
                                        • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                        • Opcode Fuzzy Hash: 4ebf0acc99a1bd76ecb676338ad5ca66b749e389f9c6bdc81adf82034e374675
                                        • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                        Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                        • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                        • GetLastError.KERNEL32 ref: 0041CA91
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ClassCreateErrorLastRegisterWindow
                                        • String ID: 0$MsgWindowClass
                                        • API String ID: 2877667751-2410386613
                                        • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                        • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                        • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                        • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                        Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                        • CloseHandle.KERNEL32(?), ref: 00406A0F
                                        • CloseHandle.KERNEL32(?), ref: 00406A14
                                        Strings
                                        • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseHandle$CreateProcess
                                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                        • API String ID: 2922976086-4183131282
                                        • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                        • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                        • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                        • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                        Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 004425F9
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                        • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?), ref: 0044262F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                        • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                        • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                        • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                        Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                                        • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                                        • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseCreateValue
                                        • String ID: pth_unenc$BG
                                        • API String ID: 1818849710-2233081382
                                        • Opcode ID: 7fb84232b7661129f93bed74f5109d0e76784bc5d303e4d247da168f20c3a91f
                                        • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                        • Opcode Fuzzy Hash: 7fb84232b7661129f93bed74f5109d0e76784bc5d303e4d247da168f20c3a91f
                                        • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                        Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004745A8,00414DB5,00000000,00000000,00000001), ref: 00404AED
                                        • SetEvent.KERNEL32(000002F0), ref: 00404AF9
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404B04
                                        • CloseHandle.KERNEL32(00000000), ref: 00404B0D
                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                        • String ID: KeepAlive | Disabled
                                        • API String ID: 2993684571-305739064
                                        • Opcode ID: 6a2e9fed7c31a08c387878a041e76ce1f8cb1591724bfece31842f89ecd98ae4
                                        • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                        • Opcode Fuzzy Hash: 6a2e9fed7c31a08c387878a041e76ce1f8cb1591724bfece31842f89ecd98ae4
                                        • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                        Function 00419F32 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                        • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                        • Sleep.KERNEL32(00002710), ref: 00419F79
                                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: PlaySound$HandleLocalModuleSleepTime
                                        • String ID: Alarm triggered
                                        • API String ID: 614609389-2816303416
                                        • Opcode ID: b235acc6dc62185f624d205ca418591b0f75406fe2ec0c8e15ad043012baae45
                                        • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                        • Opcode Fuzzy Hash: b235acc6dc62185f624d205ca418591b0f75406fe2ec0c8e15ad043012baae45
                                        • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                        Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                        • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                        • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                        Strings
                                        • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Console$AttributeText$BufferHandleInfoScreen
                                        • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                        • API String ID: 3024135584-2418719853
                                        • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                        • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                        • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                        • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                        Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 092d045fd4dfbc3abfb12b6361b7e91f54830b77947eddd119647d88fc19d888
                                        • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                        • Opcode Fuzzy Hash: 092d045fd4dfbc3abfb12b6361b7e91f54830b77947eddd119647d88fc19d888
                                        • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                        Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                        • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                        • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                        • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                        • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                        • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                        • String ID:
                                        • API String ID: 3525466593-0
                                        • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                        • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                        • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                        • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                        Function 00403DE7 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 135sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNEL32(00000000), ref: 00403E8A
                                          • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: H_prologSleep
                                        • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                        • API String ID: 3469354165-3547787478
                                        • Opcode ID: 356618ed464ceca4244ca76947bfab2896cca6e77cd3489199c282be76bf00d5
                                        • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                        • Opcode Fuzzy Hash: 356618ed464ceca4244ca76947bfab2896cca6e77cd3489199c282be76bf00d5
                                        • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                        Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                        • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                        • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                        • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                        Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53), ref: 0044FF20
                                        • __alloca_probe_16.LIBCMT ref: 0044FF58
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,0042CE53,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?), ref: 0044FFA9
                                        • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,?,?,00000001,0042CE53,0042CE53,?,00000002,?), ref: 0044FFBB
                                        • __freea.LIBCMT ref: 0044FFC4
                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                        • String ID:
                                        • API String ID: 313313983-0
                                        • Opcode ID: 578e6bc7a4fc1a2bb7a9e58197017e828bee5b66154445d614d46d91064b4efe
                                        • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                        • Opcode Fuzzy Hash: 578e6bc7a4fc1a2bb7a9e58197017e828bee5b66154445d614d46d91064b4efe
                                        • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                        Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                          • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578,?,?), ref: 00446B31
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                        • _free.LIBCMT ref: 0044E1A0
                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                        • String ID:
                                        • API String ID: 336800556-0
                                        • Opcode ID: cbfa98b2cae8c11c90072c2e77890abdc970385a4e1e7188d4ee333dffee03c0
                                        • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                        • Opcode Fuzzy Hash: cbfa98b2cae8c11c90072c2e77890abdc970385a4e1e7188d4ee333dffee03c0
                                        • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                        Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(00000000,?,?,00445359,00446B42,00000000,?,00433627,?,?,00402BE9,?,00402629,00000000,?,00402578), ref: 00446F48
                                        • _free.LIBCMT ref: 00446F7D
                                        • _free.LIBCMT ref: 00446FA4
                                        • SetLastError.KERNEL32(00000000), ref: 00446FB1
                                        • SetLastError.KERNEL32(00000000), ref: 00446FBA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorLast$_free
                                        • String ID:
                                        • API String ID: 3170660625-0
                                        • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                        • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                        • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                        • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                        Function 0041B37D Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                        • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3C8
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CloseHandleOpen$FileImageName
                                        • String ID:
                                        • API String ID: 2951400881-0
                                        • Opcode ID: b8726634bc2d24e9c2e2bc3987753934be5434803c47aebb3633f4ceaff1eb89
                                        • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                        • Opcode Fuzzy Hash: b8726634bc2d24e9c2e2bc3987753934be5434803c47aebb3633f4ceaff1eb89
                                        • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                        Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 0044F7B5
                                          • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                        • _free.LIBCMT ref: 0044F7C7
                                        • _free.LIBCMT ref: 0044F7D9
                                        • _free.LIBCMT ref: 0044F7EB
                                        • _free.LIBCMT ref: 0044F7FD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                        • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                        • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                        • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                        Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00443305
                                          • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                        • _free.LIBCMT ref: 00443317
                                        • _free.LIBCMT ref: 0044332A
                                        • _free.LIBCMT ref: 0044333B
                                        • _free.LIBCMT ref: 0044334C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                        • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                        • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                        • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                        Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                        • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                        • IsWindowVisible.USER32(?), ref: 004167A1
                                          • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                          • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ProcessWindow$Open$TextThreadVisible
                                        • String ID: (FG
                                        • API String ID: 3142014140-2273637114
                                        • Opcode ID: dc3e4d4fa133973a90e115171a0b0dda6a4a0e59ab6cdd83058d7cd8e4f31980
                                        • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                        • Opcode Fuzzy Hash: dc3e4d4fa133973a90e115171a0b0dda6a4a0e59ab6cdd83058d7cd8e4f31980
                                        • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                        Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                        Download Yara Rule
                                        APIs
                                        • _strpbrk.LIBCMT ref: 0044D4A8
                                        • _free.LIBCMT ref: 0044D5C5
                                          • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,?,?,?,00414BBD,?,00000000,00000000,?,0043A846,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
                                          • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417), ref: 0043A878
                                          • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                        • String ID: *?$.
                                        • API String ID: 2812119850-3972193922
                                        • Opcode ID: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                                        • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                                        • Opcode Fuzzy Hash: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                                        • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                                        Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                          • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                          • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                          • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                          • Part of subcall function 00404468: send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                        • String ID: XCG$`AG$>G
                                        • API String ID: 2334542088-2372832151
                                        • Opcode ID: c741465ea1312510a8e8ad96102320b27bdea1eb96b2cd00a3f77fd0b87224ad
                                        • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                        • Opcode Fuzzy Hash: c741465ea1312510a8e8ad96102320b27bdea1eb96b2cd00a3f77fd0b87224ad
                                        • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                        Function 00404468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • send.WS2_32(000002E8,00000000,00000000,00000000), ref: 004044FD
                                        • WaitForSingleObject.KERNEL32(00000304,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                        • SetEvent.KERNEL32(00000304,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: EventObjectSingleWaitsend
                                        • String ID: LAL
                                        • API String ID: 3963590051-3302426157
                                        • Opcode ID: 39395ac51e9df926e27c7f9f262a8473f5badab151c787be0871b375860f7c60
                                        • Instruction ID: 68c7e6670e460543dd9c105572fcb78fed3a06f13f8c8b410ea91b680b50408d
                                        • Opcode Fuzzy Hash: 39395ac51e9df926e27c7f9f262a8473f5badab151c787be0871b375860f7c60
                                        • Instruction Fuzzy Hash: 192143B29001196BDF04BBA5DC96DEE777CFF54358B00013EF916B21E1EA78A604D6A4
                                        Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                          • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                          • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                          • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                        • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                        • String ID: /sort "Visit Time" /stext "$8>G
                                        • API String ID: 368326130-2663660666
                                        • Opcode ID: 241b4b7d42c9deaafa6c56f90d3fa67529bdc3a02532d12bad5a01a8cb4df0f7
                                        • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                        • Opcode Fuzzy Hash: 241b4b7d42c9deaafa6c56f90d3fa67529bdc3a02532d12bad5a01a8cb4df0f7
                                        • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                        Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                        • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                        • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 00409946
                                          • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                          • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateThread$LocalTimewsprintf
                                        • String ID: Offline Keylogger Started
                                        • API String ID: 465354869-4114347211
                                        • Opcode ID: edeb66d2c323baf352d9b751a1761911fec01abb54ad2cfa812e3cab66cfbf98
                                        • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                        • Opcode Fuzzy Hash: edeb66d2c323baf352d9b751a1761911fec01abb54ad2cfa812e3cab66cfbf98
                                        • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                        Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                          • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                        • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                        • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                        • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateThread$LocalTime$wsprintf
                                        • String ID: Online Keylogger Started
                                        • API String ID: 112202259-1258561607
                                        • Opcode ID: 6342d03d0c9a2cdc3ce349886319e248d88a10a607891716496075ed72338117
                                        • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                        • Opcode Fuzzy Hash: 6342d03d0c9a2cdc3ce349886319e248d88a10a607891716496075ed72338117
                                        • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                        Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                        • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                        • __dosmaperr.LIBCMT ref: 0044AAFE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseErrorHandleLast__dosmaperr
                                        • String ID: `@
                                        • API String ID: 2583163307-951712118
                                        • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                        • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                        • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                        • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                        Function 00419E89 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExistsFilePath
                                        • String ID: TUF$alarm.wav$xIG
                                        • API String ID: 1174141254-2188790166
                                        • Opcode ID: db4e0f36c4cc8cd18709483f80952620ae8d8fb6452da980725a6903548d7b2e
                                        • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                        • Opcode Fuzzy Hash: db4e0f36c4cc8cd18709483f80952620ae8d8fb6452da980725a6903548d7b2e
                                        • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                        Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                        • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                        • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandleObjectSingleWait
                                        • String ID: Connection Timeout
                                        • API String ID: 2055531096-499159329
                                        • Opcode ID: e4aafb68730189f051766cfe717f4579ae2cf6b1a1b95cb5a966786d982b9e87
                                        • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                        • Opcode Fuzzy Hash: e4aafb68730189f051766cfe717f4579ae2cf6b1a1b95cb5a966786d982b9e87
                                        • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                        Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                        Download Yara Rule
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                          • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                          • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                        • String ID: bad locale name
                                        • API String ID: 3628047217-1405518554
                                        • Opcode ID: bd0a6a6dae6415356e731995008518494c413937943f369f1725fb776b78fea2
                                        • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                        • Opcode Fuzzy Hash: bd0a6a6dae6415356e731995008518494c413937943f369f1725fb776b78fea2
                                        • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                        Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExecuteShell
                                        • String ID: /C $cmd.exe$open
                                        • API String ID: 587946157-3896048727
                                        • Opcode ID: a342b09abf055597aed8f6fcd2cf2a15ee069eaa9ef8e66675d254ea24c1838a
                                        • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                        • Opcode Fuzzy Hash: a342b09abf055597aed8f6fcd2cf2a15ee069eaa9ef8e66675d254ea24c1838a
                                        • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                        Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                        • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                        • TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: TerminateThread$HookUnhookWindows
                                        • String ID: pth_unenc
                                        • API String ID: 3123878439-4028850238
                                        • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                        • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                        • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                        • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                        Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __alldvrm$_strrchr
                                        • String ID:
                                        • API String ID: 1036877536-0
                                        • Opcode ID: 04a0325834f843994ade633b459a1d3cb356a39676a395bc181b674f0ba6452b
                                        • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                        • Opcode Fuzzy Hash: 04a0325834f843994ade633b459a1d3cb356a39676a395bc181b674f0ba6452b
                                        • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                        Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                                        • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                        • Opcode Fuzzy Hash: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                                        • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                        Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                        • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Sleep
                                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                        • API String ID: 3472027048-1236744412
                                        • Opcode ID: f93b6b6c96551599ebd69fe64bee0d63dad0637a340ebfcf96dabdaa3587bf98
                                        • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                        • Opcode Fuzzy Hash: f93b6b6c96551599ebd69fe64bee0d63dad0637a340ebfcf96dabdaa3587bf98
                                        • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                        Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                          • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                          • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                        • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenQuerySleepValue
                                        • String ID: @CG$exepath$BG
                                        • API String ID: 4119054056-3221201242
                                        • Opcode ID: ce40ddf8ade15cbc55dad7ca55a643431616a938a18cec2763378ea7843a65e0
                                        • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                        • Opcode Fuzzy Hash: ce40ddf8ade15cbc55dad7ca55a643431616a938a18cec2763378ea7843a65e0
                                        • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                        Function 0041A98A Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: SystemTimes$Sleep__aulldiv
                                        • String ID:
                                        • API String ID: 188215759-0
                                        • Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                        • Instruction ID: 3b66203fd79088dfadce72ddbf0b0401c54eb4bd27628439374ba0e7aa9136f0
                                        • Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                        • Instruction Fuzzy Hash: 9D215E725083009BC304DF65D98589FB7E8EFC8654F044A2EF589D3251EA34EA49CB63
                                        Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                          • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                          • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                        • Sleep.KERNEL32(000001F4), ref: 00409C95
                                        • Sleep.KERNEL32(00000064), ref: 00409D1F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Window$SleepText$ForegroundLength
                                        • String ID: [ $ ]
                                        • API String ID: 3309952895-93608704
                                        • Opcode ID: ebd93478415d7ceaf08988c946588b0e8d461d13856b31c8a019e387675c6f26
                                        • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                        • Opcode Fuzzy Hash: ebd93478415d7ceaf08988c946588b0e8d461d13856b31c8a019e387675c6f26
                                        • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                        Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5EB
                                        • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B5FF
                                        • CloseHandle.KERNEL32(00000000), ref: 0041B60C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandlePointerWrite
                                        • String ID:
                                        • API String ID: 3604237281-0
                                        • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                        • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                        • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                        • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                        Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                        • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                        • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                        • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                        Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                        • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                        • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                        • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                        Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                          • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                          • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                        • _UnwindNestedFrames.LIBCMT ref: 00438124
                                        • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                        • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                        • String ID:
                                        • API String ID: 737400349-0
                                        • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                        • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                        • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                        • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                        Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00414BBD,00000000,00000000,?,004471B7,00414BBD,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                        • GetLastError.KERNEL32(?,004471B7,00414BBD,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,00414BBD,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LibraryLoad$ErrorLast
                                        • String ID:
                                        • API String ID: 3177248105-0
                                        • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                        • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                        • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                        • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                        Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B647
                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B66C
                                        • CloseHandle.KERNEL32(00000000), ref: 0041B67A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleReadSize
                                        • String ID:
                                        • API String ID: 3919263394-0
                                        • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                        • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                        • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                        • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                        Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                        • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                        • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                        • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: MetricsSystem
                                        • String ID:
                                        • API String ID: 4116985748-0
                                        • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                        • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                        • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                        • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                        Function 00441EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                        Download Yara Rule
                                        APIs
                                        • __startOneArgErrorHandling.LIBCMT ref: 00441F6D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorHandling__start
                                        • String ID: pow
                                        • API String ID: 3213639722-2276729525
                                        • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                        • Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
                                        • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                        • Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E
                                        Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Info
                                        • String ID: $fD
                                        • API String ID: 1807457897-3092946448
                                        • Opcode ID: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                        • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                        • Opcode Fuzzy Hash: 5a1be195421d57dadb90a7404d285975d7b8ac1b4122976fa75ce4288470c48d
                                        • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                        Function 00417BDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                        Download Yara Rule
                                        APIs
                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C08
                                          • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                        • SHCreateMemStream.SHLWAPI(00000000), ref: 00417C55
                                          • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                          • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                        • String ID: image/jpeg
                                        • API String ID: 1291196975-3785015651
                                        • Opcode ID: fa7ad5d4cca06413aa3153280c9deb26addd226233a17832a60259afbc4e9117
                                        • Instruction ID: 3dbe320e324aa312c145f712c1d391ec03548c85c69305bb74e69b0931de3aa8
                                        • Opcode Fuzzy Hash: fa7ad5d4cca06413aa3153280c9deb26addd226233a17832a60259afbc4e9117
                                        • Instruction Fuzzy Hash: 13315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6
                                        Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ACP$OCP
                                        • API String ID: 0-711371036
                                        • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                        • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                        • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                        • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                        Function 00417CD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                        Download Yara Rule
                                        APIs
                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417CF4
                                          • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                        • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D19
                                          • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                          • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                        • String ID: image/png
                                        • API String ID: 1291196975-2966254431
                                        • Opcode ID: 7c847f4afdc389cf9a271c0bd5ee0ce482c286e0475bb26b27d0e01e1af6b93a
                                        • Instruction ID: e3b7944e5392015f30009faa46d0af48502643625c308f0969f1fef2cb3c76d4
                                        • Opcode Fuzzy Hash: 7c847f4afdc389cf9a271c0bd5ee0ce482c286e0475bb26b27d0e01e1af6b93a
                                        • Instruction Fuzzy Hash: AA21A135204211AFC300AF61CC88CAFBBBDEFCA714F10052EF90693151DB399945CBA6
                                        Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                        • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                        Strings
                                        • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocalTime
                                        • String ID: KeepAlive | Enabled | Timeout:
                                        • API String ID: 481472006-1507639952
                                        • Opcode ID: 36e37b147312bfb87bcb91e03b7b37eee2d7f01753b5705dfd55cb62ab7fd0e1
                                        • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                        • Opcode Fuzzy Hash: 36e37b147312bfb87bcb91e03b7b37eee2d7f01753b5705dfd55cb62ab7fd0e1
                                        • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                        Function 004488F7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F6), ref: 00448943
                                        • GetFileType.KERNEL32(00000000), ref: 00448955
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: FileHandleType
                                        • String ID: `Q^
                                        • API String ID: 3000768030-2565145300
                                        • Opcode ID: ccc95ea5b6d1fe52f093f2cf044264499b4e41becef1697495b2cca3fae492d0
                                        • Instruction ID: e72e3a163d38be5f7a7623f46eac45f8fe04114c14e2a7ad6025d4c7bfa50cde
                                        • Opcode Fuzzy Hash: ccc95ea5b6d1fe52f093f2cf044264499b4e41becef1697495b2cca3fae492d0
                                        • Instruction Fuzzy Hash: D41145B1508F524AE7304E3D8C8863BBA959756330B380B2FD5B6867F1CF28D886954B
                                        Function 0043AC30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free
                                        • String ID: `Q^
                                        • API String ID: 269201875-2565145300
                                        • Opcode ID: ca01ae77a811ea6e1882d950de224612bd516a70c3fdde4a712b874a0400f1fb
                                        • Instruction ID: 8090df87744a04f370904591f18fafe20db4d8262e12f9b5c6200b5f8240d2d1
                                        • Opcode Fuzzy Hash: ca01ae77a811ea6e1882d950de224612bd516a70c3fdde4a712b874a0400f1fb
                                        • Instruction Fuzzy Hash: C111E671A4030147F7249F2DAC42F563298E755734F25222BF979EB6E0D778C892428E
                                        Function 004336EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMONLIBRARYCODE
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: LG$XG
                                        • API String ID: 0-1482930923
                                        • Opcode ID: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
                                        • Instruction ID: b803d8f2fb0d60b71c32d24796bf113498d2ea24005d64aa96dbf80bf0db992b
                                        • Opcode Fuzzy Hash: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
                                        • Instruction Fuzzy Hash: CE11A3B1D01654AACB20EFA998017CFB7A55F09725F14D06BED18EF281D3B9DB408B98
                                        Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocalTime
                                        • String ID: | $%02i:%02i:%02i:%03i
                                        • API String ID: 481472006-2430845779
                                        • Opcode ID: 040b29047e96cc530a350bc02ebd3b5c488f5377e07d7cbdee830d488a09d55b
                                        • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                        • Opcode Fuzzy Hash: 040b29047e96cc530a350bc02ebd3b5c488f5377e07d7cbdee830d488a09d55b
                                        • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                        Function 004125EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412612
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412648
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: QueryValue
                                        • String ID: TUF
                                        • API String ID: 3660427363-3431404234
                                        • Opcode ID: 1636fbb0ac47c152b1cc20f2060babeef58eb75f28316eb00dcc0bc63989a3ea
                                        • Instruction ID: 62a4949b47554db758ef5e9b715c6ec4cc130d120bf99ac1ec1555789b8052d8
                                        • Opcode Fuzzy Hash: 1636fbb0ac47c152b1cc20f2060babeef58eb75f28316eb00dcc0bc63989a3ea
                                        • Instruction Fuzzy Hash: BC01A7B6A00108BFDB049B95DD46EFF7ABDDF44240F10007AF901E2251E6749F009664
                                        Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                          • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                          • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                        • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                        • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                        • String ID: Online Keylogger Stopped
                                        • API String ID: 1623830855-1496645233
                                        • Opcode ID: 39cace8de3b71b1ab7e2389c94fa8a099f32ea781476cbb4ed9a2e65fdbab590
                                        • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                        • Opcode Fuzzy Hash: 39cace8de3b71b1ab7e2389c94fa8a099f32ea781476cbb4ed9a2e65fdbab590
                                        • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                        Function 00448763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(?,?,0044225B,00000000,0046DAC0,0000000C,00442216,?,?,?,00448739,?,?,00446F74,00000001,00000364), ref: 00444ADB
                                        • DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046DCA8,00000010,0043AD15), ref: 004487C5
                                        • _free.LIBCMT ref: 004487D3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CriticalSection$DeleteEnter_free
                                        • String ID: `Q^
                                        • API String ID: 1836352639-2565145300
                                        • Opcode ID: 70fd0d90dafa84e5954845fa7c0139c51f18b2004160b2b9a8cec1cc6ebfe676
                                        • Instruction ID: 80ff6b1ebb5c52940da2afcd5602a1ef1f033d169bf7bf1965dfa6e3099da3c5
                                        • Opcode Fuzzy Hash: 70fd0d90dafa84e5954845fa7c0139c51f18b2004160b2b9a8cec1cc6ebfe676
                                        • Instruction Fuzzy Hash: 6E1179359002059FE724DF99D842B5C73B0EB08729F25415AE865AB2B2CB38E8828B0D
                                        Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        • waveInPrepareHeader.WINMM(005DFA18,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                        • waveInAddBuffer.WINMM(005DFA18,00000020,?,00000000,00401913), ref: 0040175D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: wave$BufferHeaderPrepare
                                        • String ID: T=G
                                        • API String ID: 2315374483-379896819
                                        • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                        • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                        • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                        • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                        Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: LocaleValid
                                        • String ID: IsValidLocaleName$j=D
                                        • API String ID: 1901932003-3128777819
                                        • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                        • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                        • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                        • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                        Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: T=G$T=G
                                        • API String ID: 3519838083-3732185208
                                        • Opcode ID: d35d56db29c3f898e339c7594dbfd576fe9197a4ca502cfea50645c21fb802bf
                                        • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                        • Opcode Fuzzy Hash: d35d56db29c3f898e339c7594dbfd576fe9197a4ca502cfea50645c21fb802bf
                                        • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                        Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyState.USER32(00000011), ref: 0040AD5B
                                          • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                                          • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                          • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                          • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                          • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                                          • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                          • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                          • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                        • String ID: [AltL]$[AltR]
                                        • API String ID: 2738857842-2658077756
                                        • Opcode ID: c0c7afa873da1f73a1fe5c81c8cf2f93ed3ee5fe4ba19fbc98e8737b6bcc32b1
                                        • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                        • Opcode Fuzzy Hash: c0c7afa873da1f73a1fe5c81c8cf2f93ed3ee5fe4ba19fbc98e8737b6bcc32b1
                                        • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                        Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00448825
                                          • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                          • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ErrorFreeHeapLast_free
                                        • String ID: `@$`@
                                        • API String ID: 1353095263-20545824
                                        • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                        • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                        • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                        • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                        Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyState.USER32(00000012), ref: 0040ADB5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: State
                                        • String ID: [CtrlL]$[CtrlR]
                                        • API String ID: 1649606143-2446555240
                                        • Opcode ID: 017dd08ea117ef9949e136069607eb1ceb0e9bbc0bd8767c02a12888e350b825
                                        • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                        • Opcode Fuzzy Hash: 017dd08ea117ef9949e136069607eb1ceb0e9bbc0bd8767c02a12888e350b825
                                        • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                        Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                                        • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                                        Strings
                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteOpenValue
                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                        • API String ID: 2654517830-1051519024
                                        • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                        • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                        • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                        • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                        Function 0043AD08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00448763: DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046DCA8,00000010,0043AD15), ref: 004487C5
                                          • Part of subcall function 00448763: _free.LIBCMT ref: 004487D3
                                          • Part of subcall function 00448803: _free.LIBCMT ref: 00448825
                                        • DeleteCriticalSection.KERNEL32(005E5140), ref: 0043AD31
                                        • _free.LIBCMT ref: 0043AD45
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: _free$CriticalDeleteSection
                                        • String ID: `Q^
                                        • API String ID: 1906768660-2565145300
                                        • Opcode ID: 105ba6d038f868bf5ead38a2174c8304849bb37afa14ec3855613d5ccb5e7185
                                        • Instruction ID: c0f14a4ae43bd4c9a132c894413e2ce2621f066976e8a01f329b24b3578183a2
                                        • Opcode Fuzzy Hash: 105ba6d038f868bf5ead38a2174c8304849bb37afa14ec3855613d5ccb5e7185
                                        • Instruction Fuzzy Hash: 3EE0D832C042108BF7247B5DFC469493398DB49725B13006EF81873171CA246CD1864D
                                        Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                        • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: DeleteDirectoryFileRemove
                                        • String ID: pth_unenc
                                        • API String ID: 3325800564-4028850238
                                        • Opcode ID: 4546e6e0ba58337ae7336522498a141f2916029a30d3b6ad4aab1b42fa748339
                                        • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                        • Opcode Fuzzy Hash: 4546e6e0ba58337ae7336522498a141f2916029a30d3b6ad4aab1b42fa748339
                                        • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                        Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                        • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ObjectProcessSingleTerminateWait
                                        • String ID: pth_unenc
                                        • API String ID: 1872346434-4028850238
                                        • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                        • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                        • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                        • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                        Function 0041ACA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CountInfoInputLastTick
                                        • String ID: >G
                                        • API String ID: 3478931382-1296849874
                                        • Opcode ID: 1111c95a6731b81c7f960cf0461dbe35cffbdc62c157a0c369b4dce9d438a623
                                        • Instruction ID: 0f25e8e52f9a29d92835049ed671f456ff59a02a7b46a548dc943f175ac88346
                                        • Opcode Fuzzy Hash: 1111c95a6731b81c7f960cf0461dbe35cffbdc62c157a0c369b4dce9d438a623
                                        • Instruction Fuzzy Hash: FCD0127040020DBFCB00DFE4EC4D98DBFFCEB00349F104168A005A2111DB70E6448B24
                                        Function 0044E0EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CommandLine
                                        • String ID: 8(\
                                        • API String ID: 3253501508-3938049615
                                        • Opcode ID: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                        • Instruction ID: 13d69598d350970c9b91df73096b24a53109b9b907d0ea4b726438dfa3130670
                                        • Opcode Fuzzy Hash: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                        • Instruction Fuzzy Hash: 09B0027D8157009FC7419F79BD5D1443BA0B75861339094B5DC19C7B35DA358085EF18
                                        Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                        • GetLastError.KERNEL32 ref: 0043FB02
                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.4482857713.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                        • Associated: 00000000.00000002.4482842621.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482891327.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482911804.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.4482974523.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_400000_17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharMultiWide$ErrorLast
                                        • String ID:
                                        • API String ID: 1717984340-0
                                        • Opcode ID: 641cf42bdd343eb89e62379c4a250951f72419ef29a502270e4b2a68cd87e0bf
                                        • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                        • Opcode Fuzzy Hash: 641cf42bdd343eb89e62379c4a250951f72419ef29a502270e4b2a68cd87e0bf
                                        • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759