Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe

Overview

General Information

Sample name:17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe
Analysis ID:1561336
MD5:c79d2fae260eb141b5abdef70699b2f7
SHA1:3f4602c889b5a8da7a3899340913338610eb444d
SHA256:39f13c40aa478d6c1d0523d2710ae9144162054f0b754f8af151fea3b3bbfcae
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Uses dynamic DNS services
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["shilajat.duckdns.org:2404:1"], "Assigned name": "Pastnov", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "shilajit-ISLNRR", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "Book.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "Asus"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aab8:$a1: Remcos restarted by watchdog!
        • 0x6b030:$a3: %02i:%02i:%02i:%03i
        17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64b7c:$str_b2: Executing file:
        • 0x65bfc:$str_b3: GetDirectListeningPort
        • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65728:$str_b7: \update.vbs
        • 0x64ba4:$str_b9: Downloaded file:
        • 0x64b90:$str_b10: Downloading file:
        • 0x64c34:$str_b12: Failed to upload file:
        • 0x65bc4:$str_b13: StartForward
        • 0x65be4:$str_b14: StopForward
        • 0x65680:$str_b15: fso.DeleteFile "
        • 0x65614:$str_b16: On Error Resume Next
        • 0x656b0:$str_b17: fso.DeleteFolder "
        • 0x64c24:$str_b18: Uploaded file:
        • 0x64be4:$str_b19: Unable to delete:
        • 0x65648:$str_b20: while fso.FileExists("
        • 0x650c1:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x134b8:$a1: Remcos restarted by watchdog!
              • 0x13a30:$a3: %02i:%02i:%02i:%03i
              00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                Click to see the 8 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                      • 0x6aab8:$a1: Remcos restarted by watchdog!
                      • 0x6b030:$a3: %02i:%02i:%02i:%03i
                      0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                      • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                      • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                      • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                      • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                      • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                      • 0x64b7c:$str_b2: Executing file:
                      • 0x65bfc:$str_b3: GetDirectListeningPort
                      • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                      • 0x65728:$str_b7: \update.vbs
                      • 0x64ba4:$str_b9: Downloaded file:
                      • 0x64b90:$str_b10: Downloading file:
                      • 0x64c34:$str_b12: Failed to upload file:
                      • 0x65bc4:$str_b13: StartForward
                      • 0x65be4:$str_b14: StopForward
                      • 0x65680:$str_b15: fso.DeleteFile "
                      • 0x65614:$str_b16: On Error Resume Next
                      • 0x656b0:$str_b17: fso.DeleteFolder "
                      • 0x64c24:$str_b18: Uploaded file:
                      • 0x64be4:$str_b19: Unable to delete:
                      • 0x65648:$str_b20: while fso.FileExists("
                      • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                      Click to see the 7 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-23T06:53:29.311796+010020365941Malware Command and Control Activity Detected192.168.2.449730154.216.17.2042404TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-23T06:53:32.031285+010028033043Unknown Traffic192.168.2.449731178.237.33.5080TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeAvira: detected
                      Antivirus detection for URL or domain
                      Source: shilajat.duckdns.orgAvira URL Cloud: Label: malware
                      Found malware configuration
                      Source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpackMalware Configuration Extractor: Remcos {"Host:Port:Password": ["shilajat.duckdns.org:2404:1"], "Assigned name": "Pastnov", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "shilajit-ISLNRR", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "Book.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "Asus"}
                      Multi AV Scanner detection for submitted file
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeReversingLabs: Detection: 86%
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeVirustotal: Detection: 79%Perma Link
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1912121435.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe PID: 7292, type: MEMORYSTR
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_004338C8
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_8bf0c812-7

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1912121435.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe PID: 7292, type: MEMORYSTR

                      Privilege Escalation

                      barindex
                      Contains functionality to bypass UAC (CMSTPLUA)
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00407538 _wcslen,CoGetObject,0_2_00407538
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49730 -> 154.216.17.204:2404
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: shilajat.duckdns.org
                      Uses dynamic DNS services
                      Source: unknownDNS query: name: shilajat.duckdns.org
                      Source: global trafficTCP traffic: 192.168.2.4:49730 -> 154.216.17.204:2404
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                      Source: Joe Sandbox ViewASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
                      Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49731 -> 178.237.33.50:80
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0041B411 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_0041B411
                      Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                      Source: global trafficDNS traffic detected: DNS query: shilajat.duckdns.org
                      Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000003.1963749907.0000000000823000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000003.1963749907.00000000007FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000003.1963749907.00000000007FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp%1
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000000_2_0040A2F3
                      Installs a global keyboard hook
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004168FC
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_0040A41B
                      Source: Yara matchFile source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1912121435.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe PID: 7292, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1912121435.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe PID: 7292, type: MEMORYSTR

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Contains functionalty to change the wallpaper
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0041CA6D SystemParametersInfoW,0_2_0041CA6D
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0041CA73 SystemParametersInfoW,0_2_0041CA73

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000000.00000000.1912121435.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe PID: 7292, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_0041330D
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041BBC6
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041BB9A
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004167EF
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0043706A0_2_0043706A
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_004140050_2_00414005
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0043E11C0_2_0043E11C
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_004541D90_2_004541D9
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_004381E80_2_004381E8
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0041F18B0_2_0041F18B
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_004462700_2_00446270
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0043E34B0_2_0043E34B
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_004533AB0_2_004533AB
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0042742E0_2_0042742E
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_004375660_2_00437566
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0043E5A80_2_0043E5A8
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_004387F00_2_004387F0
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0043797E0_2_0043797E
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_004339D70_2_004339D7
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0044DA490_2_0044DA49
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00427AD70_2_00427AD7
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0041DBF30_2_0041DBF3
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00427C400_2_00427C40
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00437DB30_2_00437DB3
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00435EEB0_2_00435EEB
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0043DEED0_2_0043DEED
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00426E9F0_2_00426E9F
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: String function: 00402093 appears 50 times
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: String function: 00401E65 appears 35 times
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: String function: 00434E70 appears 54 times
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: String function: 00434801 appears 42 times
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000000.00000000.1912121435.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe PID: 7292, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_0041798D
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040F4AF
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041B539
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].jsonJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\shilajit-ISLNRR
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: Software\0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: shilajit-ISLNRR0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: Exe0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: Exe0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: shilajit-ISLNRR0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: (TG0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: ,aF0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: Inj0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: Inj0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: @*|0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: @*|0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: @*|0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: HSG0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: @*|0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: exepath0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: ,aF0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: HSG0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: exepath0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: @*|0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: licence0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: tMG0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: `SG0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: Administrator0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: User0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: del0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: del0_2_0040EA00
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCommand line argument: del0_2_0040EA00
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeReversingLabs: Detection: 86%
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeVirustotal: Detection: 79%
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00457186 push ecx; ret 0_2_00457199
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0041C7F3 push eax; retf 0_2_0041C7FD
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00457AA8 push eax; ret 0_2_00457AC6
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00434EB6 push ecx; ret 0_2_00434EC9
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00406EEB ShellExecuteW,URLDownloadToFileW,0_2_00406EEB
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Delayed program exit found
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0040F7E2 Sleep,ExitProcess,0_2_0040F7E2
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041A7D9
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeWindow / User API: threadDelayed 9342Jump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeWindow / User API: foregroundWindowGot 1768Jump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe TID: 7316Thread sleep count: 234 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe TID: 7316Thread sleep time: -117000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe TID: 7320Thread sleep count: 158 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe TID: 7320Thread sleep time: -474000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe TID: 7320Thread sleep count: 9342 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe TID: 7320Thread sleep time: -28026000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359128763.0000000000838000.00000004.00000020.00020000.00000000.sdmp, 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000003.1964035663.0000000000838000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWoO
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359128763.0000000000838000.00000004.00000020.00020000.00000000.sdmp, 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000003.1964035663.0000000000838000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-48312
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00443355 mov eax, dword ptr fs:[00000030h]0_2_00443355
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_004120B2 GetProcessHeap,HeapFree,0_2_004120B2
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043503C
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043BB71
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00434BD8 SetUnhandledExceptionFilter,0_2_00434BD8
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00412132
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00419662 mouse_event,0_2_00419662
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.0000000000823000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerost:i
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359128763.0000000000831000.00000004.00000020.00020000.00000000.sdmp, 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.0000000000823000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359128763.0000000000831000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager-]i
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000003.1963749907.0000000000823000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager]i
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.0000000000823000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.0000000000823000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager!i
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.0000000000823000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager4i
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerES-PC
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.0000000000823000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager`i;
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.0000000000823000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managernet/
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.0000000000823000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageroi2
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.00000000007FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000003.1963749907.0000000000823000.00000004.00000020.00020000.00000000.sdmp, 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.0000000000823000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerVi5
                      Source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00434CB6 cpuid 0_2_00434CB6
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040F90C
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_0045201B
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_004520B6
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452143
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: GetLocaleInfoW,0_2_00452393
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00448484
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004524BC
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004525C3
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00452690
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: GetLocaleInfoW,0_2_0044896D
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00451D58
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00451FD0
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_00404F51 GetLocalTime,CreateEventA,CreateThread,0_2_00404F51
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0041B69E GetComputerNameExW,GetUserNameW,0_2_0041B69E
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: 0_2_0044942D _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0044942D
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1912121435.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe PID: 7292, type: MEMORYSTR
                      Contains functionality to steal Chrome passwords or cookies
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040BA4D
                      Contains functionality to steal Firefox passwords or cookies
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040BB6B
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: \key3.db0_2_0040BB6B

                      Remote Access Functionality

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1912121435.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe PID: 7292, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exeCode function: cmd.exe0_2_0040569A

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		12
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts12
                      Command and Scripting Interpreter                      		1
                      Windows Service                      		1
                      Bypass User Account Control                      		2
                      Obfuscated Files or Information                      		211
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol211
                      Input Capture                      		2
                      Encrypted Channel                      		Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts2
                      Service Execution                      		Logon Script (Windows)1
                      Access Token Manipulation                      		1
                      DLL Side-Loading                      		2
                      Credentials In Files                      		1
                      System Service Discovery                      		SMB/Windows Admin Shares3
                      Clipboard Data                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      Windows Service                      		1
                      Bypass User Account Control                      		NTDS2
                      File and Directory Discovery                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                      Process Injection                      		1
                      Masquerading                      		LSA Secrets23
                      System Information Discovery                      		SSHKeylogging22
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials21
                      Security Software Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Access Token Manipulation                      		DCSync1
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                      Process Injection                      		Proc Filesystem2
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                      System Owner/User Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe87%ReversingLabsWin32.Backdoor.Remcos
                      17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe79%VirustotalBrowse
                      17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                      17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      shilajat.duckdns.org0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      shilajat.duckdns.org100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      shilajat.duckdns.org
                      		154.216.17.204
                      		truetrueunknown
                      geoplugin.net
                      		178.237.33.50
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://geoplugin.net/json.gpfalse
                          		high
                          shilajat.duckdns.orgtrue
                          • Avira URL Cloud: malware
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://geoplugin.net/json.gp%117323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000003.1963749907.00000000007FF000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://geoplugin.net/17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000003.1963749907.0000000000823000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://geoplugin.net/json.gp/C17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exefalse
                                		high
                                http://geoplugin.net/json.gpSystem3217323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  154.216.17.204
                                  		shilajat.duckdns.orgSeychelles
                                  		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue
                                  178.237.33.50
                                  		geoplugin.netNetherlands
                                  		8455ATOM86-ASATOM86NLfalse

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1561336
                                  Start date and time:2024-11-23 06:52:09 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 7m 7s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:5
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe
                                  Detection:MAL
                                  Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 38
                                  • Number of non-executed functions: 210
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Override analysis time to 240s for sample files taking high CPU consumption

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  00:53:58API Interceptor6873784x Sleep call for process: 17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  154.216.17.2041732341065aa3050236bf0a757080986a42d53699fd38d78c31f65f12b4934c9236ce70a12688.dat-decoded.exeGet hashmaliciousXenoRATBrowse
                                    178.237.33.5017323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    018292540-LetterReguranPPI-20230814215304.PDF.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    800399031-18.11.2024.pdf.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    Purchase Inquiry_002.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    APPENDIX FORM_N#U00b045013-20241120.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • geoplugin.net/json.gp
                                    wE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                                    • geoplugin.net/json.gp
                                    ORDER AND SPECIFICATIONS.scr.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    1732143786cec792bea7f8ce7f818c031173ce52fabd19dde842f74b07fc234dc9f3fa1dcf839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • geoplugin.net/json.gp
                                    seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                    • geoplugin.net/json.gp

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    geoplugin.net17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    018292540-LetterReguranPPI-20230814215304.PDF.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    800399031-18.11.2024.pdf.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    Purchase Inquiry_002.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    APPENDIX FORM_N#U00b045013-20241120.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    wE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                                    • 178.237.33.50
                                    ORDER AND SPECIFICATIONS.scr.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    1732143786cec792bea7f8ce7f818c031173ce52fabd19dde842f74b07fc234dc9f3fa1dcf839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                    • 178.237.33.50

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    SKHT-ASShenzhenKatherineHengTechnologyInformationCo1732341065aa3050236bf0a757080986a42d53699fd38d78c31f65f12b4934c9236ce70a12688.dat-decoded.exeGet hashmaliciousXenoRATBrowse
                                    • 154.216.17.204
                                    test1.elfGet hashmaliciousMiraiBrowse
                                    • 154.216.16.109
                                    https://clearview-ps.inwise.net/Page_11-21-2024_1Get hashmaliciousHTMLPhisherBrowse
                                    • 154.216.17.193
                                    m68k.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                    • 154.216.19.139
                                    018292540-LetterReguranPPI-20230814215304.PDF.exeGet hashmaliciousRemcosBrowse
                                    • 154.216.20.185
                                    800399031-18.11.2024.pdf.exeGet hashmaliciousRemcosBrowse
                                    • 154.216.20.185
                                    vkjqpc.elfGet hashmaliciousMiraiBrowse
                                    • 154.216.16.109
                                    vsbeps.elfGet hashmaliciousMiraiBrowse
                                    • 154.216.16.109
                                    wnbw86.elfGet hashmaliciousMiraiBrowse
                                    • 154.216.16.109
                                    qkehusl.elfGet hashmaliciousMiraiBrowse
                                    • 154.216.16.109
                                    ATOM86-ASATOM86NL17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    018292540-LetterReguranPPI-20230814215304.PDF.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    800399031-18.11.2024.pdf.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    Purchase Inquiry_002.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    APPENDIX FORM_N#U00b045013-20241120.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    • 178.237.33.50
                                    wE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                                    • 178.237.33.50
                                    ORDER AND SPECIFICATIONS.scr.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    1732143786cec792bea7f8ce7f818c031173ce52fabd19dde842f74b07fc234dc9f3fa1dcf839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                    • 178.237.33.50
                                    seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                    • 178.237.33.50

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\Asus\Book.dat

                                    Download File
                                    Process:C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):144
                                    Entropy (8bit):6.801733681937788
                                    Encrypted:false
                                    SSDEEP:3:GSeX4okQ1FEe/mNtNcjknu+rC7rNOMqcwdaDHMA/vAtA:GSeX4okaKeM8wuDpL2IHMA/YtA
                                    MD5:A76821A05D504992F27A428743F03DE0
                                    SHA1:4172B872FBA43BC1C062CC5404B5C7340A047241
                                    SHA-256:7C662C408480ADBA2104877A117E037D781BDC8F8AF379A484D8E785C513B4B2
                                    SHA-512:3C16D46DA2B8EEB5CAD71F218B78C8EC023EB85F38EB92B47A3A7BC1F58FE92DF452CBF920756599F12089BCB2683124659417F4DE46337E5A7E88880704337E
                                    Malicious:false
                                    Reputation:low
                                    Preview:...7".r....%.7....J..7P....`.dl.$..5Jh.%....7#*.. 2.....1.o......a_..G..=i.L;%...[.<:.....8.N........f..D..D....{...&R.i...#......xX.5..;.{y

                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                    Download File
                                    Process:C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe
                                    File Type:JSON data
                                    Category:dropped
                                    Size (bytes):962
                                    Entropy (8bit):5.015105568788186
                                    Encrypted:false
                                    SSDEEP:12:tkluQ+nd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qluQydRNuKyGX85jvXhNlT3/7AcV9Wro
                                    MD5:8937B63DC0B37E949F38E7874886D999
                                    SHA1:62FD17BF5A029DDD3A5CFB4F5FC9FE83A346FFFC
                                    SHA-256:AB2F31E4512913B1E7F7ACAB4B72D6E741C960D0A482F09EA6F9D96FED842A66
                                    SHA-512:077176C51DC10F155EE08326270C1FE3E6CF36C7ABA75611BDB3CCDA2526D6F0360DBC2FBF4A9963051F0F01658017389FD898980ACF7BB3B29B287F188EE7B9
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:{. "geoplugin_request":"8.46.123.75",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):6.600295326853955
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe
                                    File size:494'592 bytes
                                    MD5:c79d2fae260eb141b5abdef70699b2f7
                                    SHA1:3f4602c889b5a8da7a3899340913338610eb444d
                                    SHA256:39f13c40aa478d6c1d0523d2710ae9144162054f0b754f8af151fea3b3bbfcae
                                    SHA512:4412d4a3eeef5d455a9111a9181551ba28812a70d9a31e9c80a3bb98182e68f8a6bd2b4f95f87b8d3e27b8300a4f8052b09a4d4010f8919437ceb00a7b60499e
                                    SSDEEP:6144:O5zY+w1LqZBCxKedv//NEUn+N5hkf/0TE7RvIZ/jbsAORZzAXMcrmA4:O5k+Yqaxrh3Nln+N52fIA4jbsvZzBA4
                                    TLSH:6EB4AE01BAD2C072D57514300D3AF776EAB8BD201836497B73DA1D5BFE31190A72AAB7
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~...~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..

                                    File Icon

                                    Icon Hash:95694d05214c1b33

                                    Static PE Info

                                    General

                                    Entrypoint:0x434a80
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                    Time Stamp:0x6710C0B1 [Thu Oct 17 07:45:53 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:1
                                    File Version Major:5
                                    File Version Minor:1
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:1
                                    Import Hash:1389569a3a39186f3eb453b501cfe688

                                    Entrypoint Preview

                                    Instruction
                                    call 00007FC12CECE4CBh
                                    jmp 00007FC12CECDF13h
                                    push ebp
                                    mov ebp, esp
                                    sub esp, 00000324h
                                    push ebx
                                    push esi
                                    push 00000017h
                                    call 00007FC12CEF0763h
                                    test eax, eax
                                    je 00007FC12CECE087h
                                    mov ecx, dword ptr [ebp+08h]
                                    int 29h
                                    xor esi, esi
                                    lea eax, dword ptr [ebp-00000324h]
                                    push 000002CCh
                                    push esi
                                    push eax
                                    mov dword ptr [00471D14h], esi
                                    call 00007FC12CED04D6h
                                    add esp, 0Ch
                                    mov dword ptr [ebp-00000274h], eax
                                    mov dword ptr [ebp-00000278h], ecx
                                    mov dword ptr [ebp-0000027Ch], edx
                                    mov dword ptr [ebp-00000280h], ebx
                                    mov dword ptr [ebp-00000284h], esi
                                    mov dword ptr [ebp-00000288h], edi
                                    mov word ptr [ebp-0000025Ch], ss
                                    mov word ptr [ebp-00000268h], cs
                                    mov word ptr [ebp-0000028Ch], ds
                                    mov word ptr [ebp-00000290h], es
                                    mov word ptr [ebp-00000294h], fs
                                    mov word ptr [ebp-00000298h], gs
                                    pushfd
                                    pop dword ptr [ebp-00000264h]
                                    mov eax, dword ptr [ebp+04h]
                                    mov dword ptr [ebp-0000026Ch], eax
                                    lea eax, dword ptr [ebp+04h]
                                    mov dword ptr [ebp-00000260h], eax
                                    mov dword ptr [ebp-00000324h], 00010001h
                                    mov eax, dword ptr [eax-04h]
                                    push 00000050h
                                    mov dword ptr [ebp-00000270h], eax
                                    lea eax, dword ptr [ebp-58h]
                                    push esi
                                    push eax
                                    call 00007FC12CED044Dh

                                    Rich Headers

                                    Programming Language:
                                    • [C++] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x6eeb80x104.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x790000x4abc.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000x3bc8.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x6d3500x38.rdata
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x6d3e40x18.rdata
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6d3880x40.rdata
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x590000x500.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x571f50x5720042490688bcf3aaa371282a7454b99e23False0.5716155173959828data6.625772280516175IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x590000x179dc0x17a008c19f58f5a4e5f2d5359d54234473252False0.5008370535714286data5.862025333737917IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x710000x5d540xe000eaccffe1cb836994ce5d3ccfb22d4f9False0.22126116071428573data3.0035180736120775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .tls0x770000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .gfids0x780000x2300x4009ca325bce9f8c0342c0381814603584aFalse0.330078125data2.3999762503719224IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .rsrc0x790000x4abc0x4c00ff3d62e5310ea8d85a30a685b70aebc1False0.2761101973684211data3.9808305433818196IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x7e0000x3bc80x3c0071caad037f5f2070293ebf9ebb49e4e2False0.764453125data6.724383647387111IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0x7918c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                    RT_ICON0x795f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                    RT_ICON0x79f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                    RT_ICON0x7b0240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                    RT_RCDATA0x7d5cc0x4afdata1.0091743119266054
                                    RT_GROUP_ICON0x7da7c0x3edataEnglishUnited States0.8064516129032258

                                    Imports

                                    DLLImport
                                    KERNEL32.dllFindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
                                    USER32.dllGetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, DispatchMessageA, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, AppendMenuA, GetSystemMetrics, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetWindowThreadProcessId, MapVirtualKeyA, DrawIcon, GetIconInfo
                                    GDI32.dllBitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC
                                    ADVAPI32.dllCryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
                                    SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                    ole32.dllCoInitializeEx, CoUninitialize, CoGetObject
                                    SHLWAPI.dllPathFileExistsW, PathFileExistsA, StrToIntA
                                    WINMM.dllwaveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader, waveInUnprepareHeader
                                    WS2_32.dllgethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket
                                    urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                    gdiplus.dllGdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream
                                    WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-11-23T06:53:29.311796+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449730154.216.17.2042404TCP
                                    2024-11-23T06:53:32.031285+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449731178.237.33.5080TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Nov 23, 2024 06:53:27.787066936 CET497302404192.168.2.4154.216.17.204
                                    Nov 23, 2024 06:53:27.906955957 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:53:27.907202005 CET497302404192.168.2.4154.216.17.204
                                    Nov 23, 2024 06:53:27.916152954 CET497302404192.168.2.4154.216.17.204
                                    Nov 23, 2024 06:53:28.037285089 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:53:29.266684055 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:53:29.311795950 CET497302404192.168.2.4154.216.17.204
                                    Nov 23, 2024 06:53:29.507775068 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:53:29.513848066 CET497302404192.168.2.4154.216.17.204
                                    Nov 23, 2024 06:53:29.633349895 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:53:29.633522987 CET497302404192.168.2.4154.216.17.204
                                    Nov 23, 2024 06:53:29.755448103 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:53:30.101994038 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:53:30.103889942 CET497302404192.168.2.4154.216.17.204
                                    Nov 23, 2024 06:53:30.225874901 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:53:30.303941011 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:53:30.358681917 CET497302404192.168.2.4154.216.17.204
                                    Nov 23, 2024 06:53:30.542186022 CET4973180192.168.2.4178.237.33.50
                                    Nov 23, 2024 06:53:30.661760092 CET8049731178.237.33.50192.168.2.4
                                    Nov 23, 2024 06:53:30.661919117 CET4973180192.168.2.4178.237.33.50
                                    Nov 23, 2024 06:53:30.673268080 CET4973180192.168.2.4178.237.33.50
                                    Nov 23, 2024 06:53:30.792879105 CET8049731178.237.33.50192.168.2.4
                                    Nov 23, 2024 06:53:32.031137943 CET8049731178.237.33.50192.168.2.4
                                    Nov 23, 2024 06:53:32.031285048 CET4973180192.168.2.4178.237.33.50
                                    Nov 23, 2024 06:53:32.077593088 CET497302404192.168.2.4154.216.17.204
                                    Nov 23, 2024 06:53:32.197473049 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:53:33.030102015 CET8049731178.237.33.50192.168.2.4
                                    Nov 23, 2024 06:53:33.030214071 CET4973180192.168.2.4178.237.33.50
                                    Nov 23, 2024 06:53:42.917846918 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:53:42.919487953 CET497302404192.168.2.4154.216.17.204
                                    Nov 23, 2024 06:53:43.039402962 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:54:12.916419983 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:54:12.920180082 CET497302404192.168.2.4154.216.17.204
                                    Nov 23, 2024 06:54:13.039604902 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:54:42.921508074 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:54:42.923207045 CET497302404192.168.2.4154.216.17.204
                                    Nov 23, 2024 06:54:43.043049097 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:55:12.920558929 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:55:12.925189972 CET497302404192.168.2.4154.216.17.204
                                    Nov 23, 2024 06:55:13.044647932 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:55:20.374912024 CET4973180192.168.2.4178.237.33.50
                                    Nov 23, 2024 06:55:20.702811003 CET4973180192.168.2.4178.237.33.50
                                    Nov 23, 2024 06:55:21.405976057 CET4973180192.168.2.4178.237.33.50
                                    Nov 23, 2024 06:55:22.609061003 CET4973180192.168.2.4178.237.33.50
                                    Nov 23, 2024 06:55:25.109071970 CET4973180192.168.2.4178.237.33.50
                                    Nov 23, 2024 06:55:30.013839960 CET4973180192.168.2.4178.237.33.50
                                    Nov 23, 2024 06:55:39.813039064 CET4973180192.168.2.4178.237.33.50
                                    Nov 23, 2024 06:55:42.910087109 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:55:42.911910057 CET497302404192.168.2.4154.216.17.204
                                    Nov 23, 2024 06:55:43.031414986 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:56:12.926372051 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:56:12.927892923 CET497302404192.168.2.4154.216.17.204
                                    Nov 23, 2024 06:56:13.047422886 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:56:42.926522017 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:56:42.928569078 CET497302404192.168.2.4154.216.17.204
                                    Nov 23, 2024 06:56:43.048065901 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:57:12.942867994 CET240449730154.216.17.204192.168.2.4
                                    Nov 23, 2024 06:57:12.944545031 CET497302404192.168.2.4154.216.17.204
                                    Nov 23, 2024 06:57:13.064446926 CET240449730154.216.17.204192.168.2.4

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Nov 23, 2024 06:53:27.042900085 CET5889053192.168.2.41.1.1.1
                                    Nov 23, 2024 06:53:27.782607079 CET53588901.1.1.1192.168.2.4
                                    Nov 23, 2024 06:53:30.397922993 CET5948753192.168.2.41.1.1.1
                                    Nov 23, 2024 06:53:30.538163900 CET53594871.1.1.1192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Nov 23, 2024 06:53:27.042900085 CET192.168.2.41.1.1.10x65a4Standard query (0)shilajat.duckdns.orgA (IP address)IN (0x0001)false
                                    Nov 23, 2024 06:53:30.397922993 CET192.168.2.41.1.1.10x9ebcStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Nov 23, 2024 06:53:27.782607079 CET1.1.1.1192.168.2.40x65a4No error (0)shilajat.duckdns.org154.216.17.204A (IP address)IN (0x0001)false
                                    Nov 23, 2024 06:53:30.538163900 CET1.1.1.1192.168.2.40x9ebcNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • geoplugin.net

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.449731178.237.33.50807292C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe
                                    TimestampBytes transferredDirectionData
                                    Nov 23, 2024 06:53:30.673268080 CET71OUTGET /json.gp HTTP/1.1
                                    Host: geoplugin.net
                                    Cache-Control: no-cache
                                    Nov 23, 2024 06:53:32.031137943 CET1170INHTTP/1.1 200 OK
                                    date: Sat, 23 Nov 2024 05:53:31 GMT
                                    server: Apache
                                    content-length: 962
                                    content-type: application/json; charset=utf-8
                                    cache-control: public, max-age=300
                                    access-control-allow-origin: *
                                    Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                    Data Ascii: { "geoplugin_request":"8.46.123.75", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:00:53:26
                                    Start date:23/11/2024
                                    Path:C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe"
                                    Imagebase:0x400000
                                    File size:494'592 bytes
                                    MD5 hash:C79D2FAE260EB141B5ABDEF70699B2F7
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4359006394.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.1912121435.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.1912121435.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.1912121435.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.1912121435.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                    Reputation:low
                                    Has exited:false

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:4.3%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:21.2%
                                      Total number of Nodes:1399
                                      Total number of Limit Nodes:67
                                      execution_graph 46547 415d41 46562 41b411 46547->46562 46549 415d4a 46573 4020f6 46549->46573 46553 415d65 46554 4170c4 46553->46554 46580 401fd8 46553->46580 46583 401e8d 46554->46583 46558 401fd8 11 API calls 46559 4170d9 46558->46559 46560 401fd8 11 API calls 46559->46560 46561 4170e5 46560->46561 46589 4020df 46562->46589 46567 41b456 InternetReadFile 46571 41b479 46567->46571 46568 41b4a6 InternetCloseHandle InternetCloseHandle 46570 41b4b8 46568->46570 46570->46549 46571->46567 46571->46568 46572 401fd8 11 API calls 46571->46572 46600 4020b7 46571->46600 46572->46571 46574 40210c 46573->46574 46575 4023ce 11 API calls 46574->46575 46576 402126 46575->46576 46577 402569 28 API calls 46576->46577 46578 402134 46577->46578 46579 404aa1 61 API calls ctype 46578->46579 46579->46553 46581 4023ce 11 API calls 46580->46581 46582 401fe1 46581->46582 46582->46554 46584 402163 46583->46584 46585 40219f 46584->46585 46640 402730 11 API calls 46584->46640 46585->46558 46587 402184 46641 402712 11 API calls std::_Deallocate 46587->46641 46590 4020e7 46589->46590 46606 4023ce 46590->46606 46592 4020f2 46593 43bda0 46592->46593 46598 4461b8 __Getctype 46593->46598 46594 4461f6 46612 44062d 20 API calls _free 46594->46612 46595 4461e1 RtlAllocateHeap 46597 41b42f InternetOpenW InternetOpenUrlW 46595->46597 46595->46598 46597->46567 46598->46594 46598->46595 46611 443001 7 API calls 2 library calls 46598->46611 46601 4020bf 46600->46601 46602 4023ce 11 API calls 46601->46602 46603 4020ca 46602->46603 46613 40250a 46603->46613 46605 4020d9 46605->46571 46607 402428 46606->46607 46608 4023d8 46606->46608 46607->46592 46608->46607 46610 4027a7 11 API calls std::_Deallocate 46608->46610 46610->46607 46611->46598 46612->46597 46614 40251a 46613->46614 46615 402520 46614->46615 46616 402535 46614->46616 46620 402569 46615->46620 46630 4028e8 28 API calls 46616->46630 46619 402533 46619->46605 46631 402888 46620->46631 46622 40257d 46623 402592 46622->46623 46624 4025a7 46622->46624 46636 402a34 22 API calls 46623->46636 46638 4028e8 28 API calls 46624->46638 46627 40259b 46637 4029da 22 API calls 46627->46637 46629 4025a5 46629->46619 46630->46619 46632 402890 46631->46632 46633 402898 46632->46633 46639 402ca3 22 API calls 46632->46639 46633->46622 46636->46627 46637->46629 46638->46629 46640->46587 46641->46585 46642 426a77 46643 426a8c 46642->46643 46649 426b1e 46642->46649 46644 426bd5 46643->46644 46645 426ad9 46643->46645 46646 426b4e 46643->46646 46647 426bae 46643->46647 46643->46649 46653 426b83 46643->46653 46655 426b0e 46643->46655 46670 424f6e 49 API calls ctype 46643->46670 46644->46649 46675 4261e6 28 API calls 46644->46675 46645->46649 46645->46655 46671 41fbfd 52 API calls 46645->46671 46646->46649 46646->46653 46673 41fbfd 52 API calls 46646->46673 46647->46644 46647->46649 46658 425b72 46647->46658 46653->46647 46674 425781 21 API calls 46653->46674 46655->46646 46655->46649 46672 424f6e 49 API calls ctype 46655->46672 46659 425b91 ___scrt_get_show_window_mode 46658->46659 46661 425ba0 46659->46661 46664 425bc5 46659->46664 46676 41ec4c 21 API calls 46659->46676 46661->46664 46669 425ba5 46661->46669 46677 420669 46 API calls 46661->46677 46664->46644 46665 425bae 46665->46664 46684 424d96 21 API calls 2 library calls 46665->46684 46667 425c48 46667->46664 46678 432f55 46667->46678 46669->46664 46669->46665 46683 41daf0 49 API calls 46669->46683 46670->46645 46671->46645 46672->46646 46673->46646 46674->46647 46675->46649 46676->46661 46677->46667 46679 432f63 46678->46679 46680 432f5f 46678->46680 46681 43bda0 ___std_exception_copy 21 API calls 46679->46681 46680->46669 46682 432f68 46681->46682 46682->46669 46683->46665 46684->46664 46685 4437fd 46686 443806 46685->46686 46687 44381f 46685->46687 46688 44380e 46686->46688 46692 443885 46686->46692 46690 443816 46690->46688 46703 443b52 22 API calls 2 library calls 46690->46703 46693 443891 46692->46693 46694 44388e 46692->46694 46704 44f45d GetEnvironmentStringsW 46693->46704 46694->46690 46698 446802 _free 20 API calls 46700 4438d3 46698->46700 46699 4438a9 46712 446802 46699->46712 46700->46690 46702 44389e 46702->46698 46703->46687 46705 44f471 46704->46705 46706 443898 46704->46706 46718 4461b8 46705->46718 46706->46702 46711 4439aa 26 API calls 3 library calls 46706->46711 46708 446802 _free 20 API calls 46710 44f49f FreeEnvironmentStringsW 46708->46710 46709 44f485 ctype 46709->46708 46710->46706 46711->46699 46713 44680d RtlFreeHeap 46712->46713 46717 446836 _free 46712->46717 46714 446822 46713->46714 46713->46717 46727 44062d 20 API calls _free 46714->46727 46716 446828 GetLastError 46716->46717 46717->46702 46719 4461f6 46718->46719 46723 4461c6 __Getctype 46718->46723 46726 44062d 20 API calls _free 46719->46726 46720 4461e1 RtlAllocateHeap 46722 4461f4 46720->46722 46720->46723 46722->46709 46723->46719 46723->46720 46725 443001 7 API calls 2 library calls 46723->46725 46725->46723 46726->46722 46727->46716 46728 43bea8 46731 43beb4 _swprintf CallCatchBlock 46728->46731 46729 43bec2 46744 44062d 20 API calls _free 46729->46744 46731->46729 46732 43beec 46731->46732 46739 445909 EnterCriticalSection 46732->46739 46734 43bec7 pre_c_initialization CallCatchBlock 46735 43bef7 46740 43bf98 46735->46740 46739->46735 46742 43bfa6 46740->46742 46741 43bf02 46745 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 46741->46745 46742->46741 46746 4497ec 37 API calls 2 library calls 46742->46746 46744->46734 46745->46734 46746->46742 46747 434918 46748 434924 CallCatchBlock 46747->46748 46774 434627 46748->46774 46750 43492b 46752 434954 46750->46752 47072 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 46750->47072 46761 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46752->46761 47073 4442d2 5 API calls _ValidateLocalCookies 46752->47073 46754 43496d 46756 434973 CallCatchBlock 46754->46756 47074 444276 5 API calls _ValidateLocalCookies 46754->47074 46757 4349f3 46785 434ba5 46757->46785 46761->46757 47075 443487 36 API calls 4 library calls 46761->47075 46767 434a15 46768 434a1f 46767->46768 47077 4434bf 28 API calls _abort 46767->47077 46770 434a28 46768->46770 47078 443462 28 API calls _abort 46768->47078 47079 43479e 13 API calls 2 library calls 46770->47079 46773 434a30 46773->46756 46775 434630 46774->46775 47080 434cb6 IsProcessorFeaturePresent 46775->47080 46777 43463c 47081 438fb1 10 API calls 4 library calls 46777->47081 46779 434641 46780 434645 46779->46780 47082 44415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46779->47082 46780->46750 46782 43464e 46783 43465c 46782->46783 47083 438fda 8 API calls 3 library calls 46782->47083 46783->46750 47084 436f10 46785->47084 46788 4349f9 46789 444223 46788->46789 47086 44f0d9 46789->47086 46791 44422c 46792 434a02 46791->46792 47090 446895 36 API calls 46791->47090 46794 40ea00 46792->46794 47092 41cbe1 LoadLibraryA GetProcAddress 46794->47092 46796 40ea1c GetModuleFileNameW 47097 40f3fe 46796->47097 46798 40ea38 46799 4020f6 28 API calls 46798->46799 46800 40ea47 46799->46800 46801 4020f6 28 API calls 46800->46801 46802 40ea56 46801->46802 47112 41beac 46802->47112 46806 40ea68 46807 401e8d 11 API calls 46806->46807 46808 40ea71 46807->46808 46809 40ea84 46808->46809 46810 40eace 46808->46810 47403 40fbee 97 API calls 46809->47403 47138 401e65 46810->47138 46813 40eade 46817 401e65 22 API calls 46813->46817 46814 40ea96 46815 401e65 22 API calls 46814->46815 46816 40eaa2 46815->46816 47404 410f72 36 API calls __EH_prolog 46816->47404 46818 40eafd 46817->46818 47143 40531e 46818->47143 46821 40eab4 47405 40fb9f 78 API calls 46821->47405 46822 40eb0c 47148 406383 46822->47148 46826 40eabd 47406 40f3eb 71 API calls 46826->47406 46830 401fd8 11 API calls 46831 40eb2d 46830->46831 46833 401fd8 11 API calls 46831->46833 46832 401fd8 11 API calls 46834 40ef36 46832->46834 46835 40eb36 46833->46835 47076 443396 GetModuleHandleW 46834->47076 46836 401e65 22 API calls 46835->46836 46837 40eb3f 46836->46837 47162 401fc0 46837->47162 46839 40eb4a 46840 401e65 22 API calls 46839->46840 46841 40eb63 46840->46841 46842 401e65 22 API calls 46841->46842 46843 40eb7e 46842->46843 46844 40ebe9 46843->46844 47407 406c59 46843->47407 46845 401e65 22 API calls 46844->46845 46850 40ebf6 46845->46850 46847 40ebab 46848 401fe2 28 API calls 46847->46848 46849 40ebb7 46848->46849 46852 401fd8 11 API calls 46849->46852 46851 40ec3d 46850->46851 46857 413584 3 API calls 46850->46857 47166 40d0a4 46851->47166 46854 40ebc0 46852->46854 47412 413584 RegOpenKeyExA 46854->47412 46855 40ec43 46856 40eac6 46855->46856 47169 41b354 46855->47169 46856->46832 46863 40ec21 46857->46863 46861 40f38a 47490 4139e4 30 API calls 46861->47490 46862 40ec5e 46864 40ecb1 46862->46864 47186 407751 46862->47186 46863->46851 47415 4139e4 30 API calls 46863->47415 46867 401e65 22 API calls 46864->46867 46870 40ecba 46867->46870 46869 40f3a0 47491 4124b0 65 API calls ___scrt_get_show_window_mode 46869->47491 46878 40ecc6 46870->46878 46879 40eccb 46870->46879 46872 40ec87 46876 401e65 22 API calls 46872->46876 46873 40ec7d 47416 407773 30 API calls 46873->47416 46888 40ec90 46876->46888 46877 40f3aa 46881 41bcef 28 API calls 46877->46881 47419 407790 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 46878->47419 46884 401e65 22 API calls 46879->46884 46880 40ec82 47417 40729b 98 API calls 46880->47417 46885 40f3ba 46881->46885 46886 40ecd4 46884->46886 47295 413a5e RegOpenKeyExW 46885->47295 47190 41bcef 46886->47190 46888->46864 46892 40ecac 46888->46892 46889 40ecdf 47194 401f13 46889->47194 47418 40729b 98 API calls 46892->47418 46896 401f09 11 API calls 46898 40f3d7 46896->46898 46900 401f09 11 API calls 46898->46900 46901 40f3e0 46900->46901 47298 40dd7d 46901->47298 46902 401e65 22 API calls 46904 40ecfc 46902->46904 46907 401e65 22 API calls 46904->46907 46909 40ed16 46907->46909 46908 40f3ea 46910 401e65 22 API calls 46909->46910 46911 40ed30 46910->46911 46912 401e65 22 API calls 46911->46912 46913 40ed49 46912->46913 46914 40edb6 46913->46914 46916 401e65 22 API calls 46913->46916 46915 40edc5 46914->46915 46922 40ef41 ___scrt_get_show_window_mode 46914->46922 46917 40edce 46915->46917 46945 40ee4a ___scrt_get_show_window_mode 46915->46945 46920 40ed5e _wcslen 46916->46920 46918 401e65 22 API calls 46917->46918 46919 40edd7 46918->46919 46921 401e65 22 API calls 46919->46921 46920->46914 46923 401e65 22 API calls 46920->46923 46924 40ede9 46921->46924 47480 413733 RegOpenKeyExA 46922->47480 46925 40ed79 46923->46925 46927 401e65 22 API calls 46924->46927 46928 401e65 22 API calls 46925->46928 46929 40edfb 46927->46929 46930 40ed8e 46928->46930 46932 401e65 22 API calls 46929->46932 47420 40da6f 46930->47420 46931 40ef8c 46933 401e65 22 API calls 46931->46933 46934 40ee24 46932->46934 46935 40efb1 46933->46935 46940 401e65 22 API calls 46934->46940 47216 402093 46935->47216 46938 401f13 28 API calls 46939 40edad 46938->46939 46942 401f09 11 API calls 46939->46942 46943 40ee35 46940->46943 46942->46914 47478 40ce34 46 API calls _wcslen 46943->47478 46944 40efc3 47222 4137aa RegCreateKeyA 46944->47222 47206 413982 46945->47206 46949 40eede ctype 46954 401e65 22 API calls 46949->46954 46950 40ee45 46950->46945 46952 401e65 22 API calls 46953 40efe5 46952->46953 47228 43bb2c 46953->47228 46955 40eef5 46954->46955 46955->46931 46959 40ef09 46955->46959 46958 40effc 47483 41ce2c 88 API calls ___scrt_get_show_window_mode 46958->47483 46961 401e65 22 API calls 46959->46961 46960 40f01f 46965 402093 28 API calls 46960->46965 46963 40ef12 46961->46963 46966 41bcef 28 API calls 46963->46966 46964 40f003 CreateThread 46964->46960 48314 41d4ee 10 API calls 46964->48314 46968 40f034 46965->46968 46967 40ef1e 46966->46967 47479 40f4af 107 API calls 46967->47479 46969 402093 28 API calls 46968->46969 46971 40f043 46969->46971 47232 41b580 46971->47232 46972 40ef23 46972->46931 46974 40ef2a 46972->46974 46974->46856 46976 401e65 22 API calls 46977 40f054 46976->46977 46978 401e65 22 API calls 46977->46978 46979 40f066 46978->46979 46980 401e65 22 API calls 46979->46980 46981 40f086 46980->46981 46982 43bb2c 40 API calls 46981->46982 46983 40f093 46982->46983 46984 401e65 22 API calls 46983->46984 46985 40f09e 46984->46985 46986 401e65 22 API calls 46985->46986 46987 40f0af 46986->46987 46988 401e65 22 API calls 46987->46988 46989 40f0c4 46988->46989 46990 401e65 22 API calls 46989->46990 46991 40f0d5 46990->46991 46992 40f0dc StrToIntA 46991->46992 47256 409e1f 46992->47256 46995 401e65 22 API calls 46996 40f0f7 46995->46996 46997 40f103 46996->46997 46998 40f13c 46996->46998 47484 43455e 22 API calls 3 library calls 46997->47484 47000 401e65 22 API calls 46998->47000 47002 40f14c 47000->47002 47001 40f10c 47003 401e65 22 API calls 47001->47003 47005 40f194 47002->47005 47006 40f158 47002->47006 47004 40f11f 47003->47004 47007 40f126 CreateThread 47004->47007 47009 401e65 22 API calls 47005->47009 47485 43455e 22 API calls 3 library calls 47006->47485 47007->46998 48318 41a045 110 API calls __EH_prolog 47007->48318 47011 40f19d 47009->47011 47010 40f161 47012 401e65 22 API calls 47010->47012 47014 40f207 47011->47014 47015 40f1a9 47011->47015 47013 40f173 47012->47013 47018 40f17a CreateThread 47013->47018 47016 401e65 22 API calls 47014->47016 47017 401e65 22 API calls 47015->47017 47019 40f210 47016->47019 47020 40f1b9 47017->47020 47018->47005 48317 41a045 110 API calls __EH_prolog 47018->48317 47021 40f255 47019->47021 47022 40f21c 47019->47022 47023 401e65 22 API calls 47020->47023 47281 41b69e GetComputerNameExW GetUserNameW 47021->47281 47025 401e65 22 API calls 47022->47025 47026 40f1ce 47023->47026 47028 40f225 47025->47028 47486 40da23 32 API calls 47026->47486 47033 401e65 22 API calls 47028->47033 47029 401f13 28 API calls 47030 40f269 47029->47030 47032 401f09 11 API calls 47030->47032 47035 40f272 47032->47035 47036 40f23a 47033->47036 47034 40f1e1 47037 401f13 28 API calls 47034->47037 47038 40f27b SetProcessDEPPolicy 47035->47038 47039 40f27e CreateThread 47035->47039 47046 43bb2c 40 API calls 47036->47046 47040 40f1ed 47037->47040 47038->47039 47041 40f293 CreateThread 47039->47041 47042 40f29f 47039->47042 48286 40f7e2 47039->48286 47043 401f09 11 API calls 47040->47043 47041->47042 48313 412132 139 API calls 47041->48313 47044 40f2b4 47042->47044 47045 40f2a8 CreateThread 47042->47045 47047 40f1f6 CreateThread 47043->47047 47050 40f307 47044->47050 47051 402093 28 API calls 47044->47051 47045->47044 48315 412716 38 API calls ___scrt_get_show_window_mode 47045->48315 47048 40f247 47046->47048 47047->47014 48316 401a6d 50 API calls 47047->48316 47487 40c19d 7 API calls 47048->47487 47292 41353a RegOpenKeyExA 47050->47292 47052 40f2d7 47051->47052 47488 4052fd 28 API calls 47052->47488 47057 40f328 47059 41bcef 28 API calls 47057->47059 47061 40f338 47059->47061 47489 413656 31 API calls 47061->47489 47066 40f34e 47067 401f09 11 API calls 47066->47067 47070 40f359 47067->47070 47068 40f381 DeleteFileW 47069 40f388 47068->47069 47068->47070 47069->46877 47070->46877 47070->47068 47071 40f36f Sleep 47070->47071 47071->47070 47072->46750 47073->46754 47074->46761 47075->46757 47076->46767 47077->46768 47078->46770 47079->46773 47080->46777 47081->46779 47082->46782 47083->46780 47085 434bb8 GetStartupInfoW 47084->47085 47085->46788 47087 44f0eb 47086->47087 47088 44f0e2 47086->47088 47087->46791 47091 44efd8 49 API calls 4 library calls 47088->47091 47090->46791 47091->47087 47093 41cc20 LoadLibraryA GetProcAddress 47092->47093 47094 41cc10 GetModuleHandleA GetProcAddress 47092->47094 47095 41cc49 44 API calls 47093->47095 47096 41cc39 LoadLibraryA GetProcAddress 47093->47096 47094->47093 47095->46796 47096->47095 47492 41b539 FindResourceA 47097->47492 47100 43bda0 ___std_exception_copy 21 API calls 47101 40f428 ctype 47100->47101 47102 4020b7 28 API calls 47101->47102 47103 40f443 47102->47103 47104 401fe2 28 API calls 47103->47104 47105 40f44e 47104->47105 47106 401fd8 11 API calls 47105->47106 47107 40f457 47106->47107 47108 43bda0 ___std_exception_copy 21 API calls 47107->47108 47109 40f468 ctype 47108->47109 47495 406e13 47109->47495 47111 40f49b 47111->46798 47113 4020df 11 API calls 47112->47113 47133 41bebf 47113->47133 47114 41bf2f 47115 401fd8 11 API calls 47114->47115 47116 41bf61 47115->47116 47118 401fd8 11 API calls 47116->47118 47117 41bf31 47121 4041a2 28 API calls 47117->47121 47120 41bf69 47118->47120 47123 401fd8 11 API calls 47120->47123 47122 41bf3d 47121->47122 47124 401fe2 28 API calls 47122->47124 47126 40ea5f 47123->47126 47127 41bf46 47124->47127 47125 401fe2 28 API calls 47125->47133 47134 40fb52 47126->47134 47128 401fd8 11 API calls 47127->47128 47130 41bf4e 47128->47130 47129 401fd8 11 API calls 47129->47133 47502 41cec5 28 API calls 47130->47502 47133->47114 47133->47117 47133->47125 47133->47129 47498 4041a2 47133->47498 47501 41cec5 28 API calls 47133->47501 47135 40fb65 47134->47135 47136 40fb5e 47134->47136 47135->46806 47509 402163 11 API calls 47136->47509 47139 401e6d 47138->47139 47141 401e75 47139->47141 47510 402158 22 API calls 47139->47510 47141->46813 47144 4020df 11 API calls 47143->47144 47145 40532a 47144->47145 47511 4032a0 47145->47511 47147 405346 47147->46822 47516 4051ef 47148->47516 47150 406391 47520 402055 47150->47520 47153 401fe2 47154 401ff1 47153->47154 47161 402039 47153->47161 47155 4023ce 11 API calls 47154->47155 47156 401ffa 47155->47156 47157 402015 47156->47157 47158 40203c 47156->47158 47554 403098 28 API calls 47157->47554 47159 40267a 11 API calls 47158->47159 47159->47161 47161->46830 47163 401fd2 47162->47163 47164 401fc9 47162->47164 47163->46839 47555 4025e0 28 API calls 47164->47555 47556 401fab 47166->47556 47168 40d0ae CreateMutexA GetLastError 47168->46855 47557 41c048 47169->47557 47174 401fe2 28 API calls 47175 41b390 47174->47175 47176 401fd8 11 API calls 47175->47176 47177 41b398 47176->47177 47178 4135e1 31 API calls 47177->47178 47180 41b3ee 47177->47180 47179 41b3c1 47178->47179 47181 41b3cc StrToIntA 47179->47181 47180->46862 47182 41b3e3 47181->47182 47183 41b3da 47181->47183 47185 401fd8 11 API calls 47182->47185 47566 41cffa 22 API calls 47183->47566 47185->47180 47187 407765 47186->47187 47188 413584 3 API calls 47187->47188 47189 40776c 47188->47189 47189->46872 47189->46873 47191 41bd03 47190->47191 47567 40b93f 47191->47567 47193 41bd0b 47193->46889 47195 401f22 47194->47195 47202 401f6a 47194->47202 47196 402252 11 API calls 47195->47196 47197 401f2b 47196->47197 47198 401f6d 47197->47198 47200 401f46 47197->47200 47600 402336 47198->47600 47599 40305c 28 API calls 47200->47599 47203 401f09 47202->47203 47204 402252 11 API calls 47203->47204 47205 401f12 47204->47205 47205->46902 47207 4139a0 47206->47207 47208 406e13 28 API calls 47207->47208 47209 4139b5 47208->47209 47210 4020f6 28 API calls 47209->47210 47211 4139c5 47210->47211 47212 4137aa 14 API calls 47211->47212 47213 4139cf 47212->47213 47214 401fd8 11 API calls 47213->47214 47215 4139dc 47214->47215 47215->46949 47217 40209b 47216->47217 47218 4023ce 11 API calls 47217->47218 47219 4020a6 47218->47219 47604 4024ed 47219->47604 47223 4137fa 47222->47223 47225 4137c3 47222->47225 47224 401fd8 11 API calls 47223->47224 47226 40efd9 47224->47226 47227 4137d5 RegSetValueExA RegCloseKey 47225->47227 47226->46952 47227->47223 47229 43bb45 _swprintf 47228->47229 47608 43ae83 47229->47608 47231 40eff2 47231->46958 47231->46960 47233 41b631 47232->47233 47234 41b596 GetLocalTime 47232->47234 47235 401fd8 11 API calls 47233->47235 47236 40531e 28 API calls 47234->47236 47237 41b639 47235->47237 47238 41b5d8 47236->47238 47240 401fd8 11 API calls 47237->47240 47239 406383 28 API calls 47238->47239 47241 41b5e4 47239->47241 47242 40f048 47240->47242 47636 402f10 47241->47636 47242->46976 47245 406383 28 API calls 47246 41b5fc 47245->47246 47641 40723b 77 API calls 47246->47641 47248 41b60a 47249 401fd8 11 API calls 47248->47249 47250 41b616 47249->47250 47251 401fd8 11 API calls 47250->47251 47252 41b61f 47251->47252 47253 401fd8 11 API calls 47252->47253 47254 41b628 47253->47254 47255 401fd8 11 API calls 47254->47255 47255->47233 47257 409e3d _wcslen 47256->47257 47258 409e48 47257->47258 47259 409e5f 47257->47259 47260 40da6f 32 API calls 47258->47260 47261 40da6f 32 API calls 47259->47261 47262 409e50 47260->47262 47263 409e67 47261->47263 47264 401f13 28 API calls 47262->47264 47265 401f13 28 API calls 47263->47265 47280 409e5a 47264->47280 47266 409e75 47265->47266 47267 401f09 11 API calls 47266->47267 47269 409e7d 47267->47269 47268 401f09 11 API calls 47270 409eb4 47268->47270 47660 409196 28 API calls 47269->47660 47645 40a144 47270->47645 47273 409e8f 47661 403014 47273->47661 47277 401f13 28 API calls 47278 409ea4 47277->47278 47279 401f09 11 API calls 47278->47279 47279->47280 47280->47268 47868 40417e 47281->47868 47286 403014 28 API calls 47287 41b703 47286->47287 47288 401f09 11 API calls 47287->47288 47289 41b70c 47288->47289 47290 401f09 11 API calls 47289->47290 47291 40f25e 47290->47291 47291->47029 47293 41355b RegQueryValueExA RegCloseKey 47292->47293 47294 40f31f 47292->47294 47293->47294 47294->46901 47294->47057 47296 40f3cd 47295->47296 47297 413a7a RegDeleteValueW 47295->47297 47296->46896 47297->47296 47299 40dd96 47298->47299 47300 41353a 3 API calls 47299->47300 47301 40dd9d 47300->47301 47302 40ddbc 47301->47302 47962 401707 47301->47962 47306 414f65 47302->47306 47304 40ddaa 47965 4138b2 RegCreateKeyA 47304->47965 47307 4020df 11 API calls 47306->47307 47308 414f79 47307->47308 47979 41b944 47308->47979 47311 4020df 11 API calls 47312 414f8f 47311->47312 47313 401e65 22 API calls 47312->47313 47314 414f9d 47313->47314 47315 43bb2c 40 API calls 47314->47315 47316 414faa 47315->47316 47317 414fbc 47316->47317 47318 414faf Sleep 47316->47318 47319 402093 28 API calls 47317->47319 47318->47317 47320 414fcb 47319->47320 47321 401e65 22 API calls 47320->47321 47322 414fd4 47321->47322 47323 4020f6 28 API calls 47322->47323 47324 414fdf 47323->47324 47325 41beac 28 API calls 47324->47325 47326 414fe7 47325->47326 47983 40489e WSAStartup 47326->47983 47328 414ff1 47329 401e65 22 API calls 47328->47329 47330 414ffa 47329->47330 47331 401e65 22 API calls 47330->47331 47381 415079 47330->47381 47332 415013 47331->47332 47333 401e65 22 API calls 47332->47333 47334 415024 47333->47334 47337 401e65 22 API calls 47334->47337 47335 41beac 28 API calls 47335->47381 47336 401e65 22 API calls 47336->47381 47338 415035 47337->47338 47340 401e65 22 API calls 47338->47340 47339 406c59 28 API calls 47339->47381 47341 415046 47340->47341 47343 401e65 22 API calls 47341->47343 47342 401fe2 28 API calls 47342->47381 47344 415057 47343->47344 47345 401e65 22 API calls 47344->47345 47346 415069 47345->47346 48119 40473d 89 API calls 47346->48119 47348 402093 28 API calls 47348->47381 47349 41b580 80 API calls 47349->47381 47351 4151c7 WSAGetLastError 48120 41cb72 30 API calls 47351->48120 47356 402093 28 API calls 47357 4151d7 47356->47357 47357->47356 47359 41b580 80 API calls 47357->47359 47362 401e65 22 API calls 47357->47362 47363 401e8d 11 API calls 47357->47363 47365 43bb2c 40 API calls 47357->47365 47357->47381 47400 415aac CreateThread 47357->47400 47401 401fd8 11 API calls 47357->47401 47402 401f09 11 API calls 47357->47402 48121 4052fd 28 API calls 47357->48121 48123 40b08c 85 API calls 47357->48123 48124 404e26 99 API calls 47357->48124 47359->47357 47361 40531e 28 API calls 47361->47381 47362->47357 47363->47357 47364 402f10 28 API calls 47364->47381 47367 415b0a Sleep 47365->47367 47366 406383 28 API calls 47366->47381 47367->47357 47368 401fd8 11 API calls 47368->47381 47371 409097 28 API calls 47371->47381 47372 441ed1 20 API calls 47372->47381 47373 4020f6 28 API calls 47373->47381 47374 413733 3 API calls 47374->47381 47375 4135e1 31 API calls 47375->47381 47376 40417e 28 API calls 47376->47381 47380 41bc1f 28 API calls 47380->47381 47381->47335 47381->47336 47381->47339 47381->47342 47381->47348 47381->47349 47381->47351 47381->47357 47381->47361 47381->47364 47381->47366 47381->47368 47381->47371 47381->47372 47381->47373 47381->47374 47381->47375 47381->47376 47381->47380 47382 401e65 22 API calls 47381->47382 47984 414f24 47381->47984 47989 40482d 47381->47989 47996 404f51 47381->47996 48011 4048c8 connect 47381->48011 48071 41b871 47381->48071 48074 4145f8 47381->48074 48077 40ddc4 47381->48077 48083 41bcd3 47381->48083 48086 41bdaf 47381->48086 47383 415474 GetTickCount 47382->47383 47384 41bc1f 28 API calls 47383->47384 47395 415491 47384->47395 47386 41bc1f 28 API calls 47386->47395 47388 41bdaf 28 API calls 47388->47395 47391 402f10 28 API calls 47391->47395 47392 406383 28 API calls 47392->47395 47393 402ea1 28 API calls 47393->47395 47395->47386 47395->47388 47395->47391 47395->47392 47395->47393 47396 401fd8 11 API calls 47395->47396 47397 401f09 11 API calls 47395->47397 48090 41bb77 GetLastInputInfo GetTickCount 47395->48090 48091 41bb27 47395->48091 48096 40f90c GetLocaleInfoA 47395->48096 48099 402f31 28 API calls 47395->48099 48100 404c10 47395->48100 48122 404aa1 61 API calls ctype 47395->48122 47396->47395 47397->47395 47400->47357 48279 41ada8 106 API calls 47400->48279 47401->47357 47402->47357 47403->46814 47404->46821 47405->46826 47408 4020df 11 API calls 47407->47408 47409 406c65 47408->47409 47410 4032a0 28 API calls 47409->47410 47411 406c82 47410->47411 47411->46847 47413 40ebdf 47412->47413 47414 4135ae RegQueryValueExA RegCloseKey 47412->47414 47413->46844 47413->46861 47414->47413 47415->46851 47416->46880 47417->46872 47418->46864 47419->46879 47421 401f86 11 API calls 47420->47421 47422 40da8b 47421->47422 47423 40dae0 47422->47423 47424 40daab 47422->47424 47444 40daa1 47422->47444 47426 41c048 2 API calls 47423->47426 48280 41b645 29 API calls 47424->48280 47425 40dbd4 GetLongPathNameW 47428 40417e 28 API calls 47425->47428 47429 40dae5 47426->47429 47431 40dbe9 47428->47431 47432 40dae9 47429->47432 47433 40db3b 47429->47433 47430 40dab4 47434 401f13 28 API calls 47430->47434 47436 40417e 28 API calls 47431->47436 47438 40417e 28 API calls 47432->47438 47437 40417e 28 API calls 47433->47437 47435 40dabe 47434->47435 47442 401f09 11 API calls 47435->47442 47439 40dbf8 47436->47439 47440 40db49 47437->47440 47441 40daf7 47438->47441 48283 40de0c 28 API calls 47439->48283 47447 40417e 28 API calls 47440->47447 47448 40417e 28 API calls 47441->47448 47442->47444 47444->47425 47445 40dc0b 48284 402fa5 28 API calls 47445->48284 47450 40db5f 47447->47450 47451 40db0d 47448->47451 47449 40dc16 48285 402fa5 28 API calls 47449->48285 48282 402fa5 28 API calls 47450->48282 48281 402fa5 28 API calls 47451->48281 47455 40db6a 47458 401f13 28 API calls 47455->47458 47456 40db18 47459 401f13 28 API calls 47456->47459 47457 40dc20 47460 401f09 11 API calls 47457->47460 47462 40db75 47458->47462 47463 40db23 47459->47463 47461 40dc2a 47460->47461 47464 401f09 11 API calls 47461->47464 47465 401f09 11 API calls 47462->47465 47466 401f09 11 API calls 47463->47466 47467 40dc33 47464->47467 47468 40db7e 47465->47468 47469 40db2c 47466->47469 47470 401f09 11 API calls 47467->47470 47471 401f09 11 API calls 47468->47471 47472 401f09 11 API calls 47469->47472 47473 40dc3c 47470->47473 47471->47435 47472->47435 47474 401f09 11 API calls 47473->47474 47475 40dc45 47474->47475 47476 401f09 11 API calls 47475->47476 47477 40dc4e 47476->47477 47477->46938 47478->46950 47479->46972 47481 413759 RegQueryValueExA RegCloseKey 47480->47481 47482 41377d 47480->47482 47481->47482 47482->46931 47483->46964 47484->47001 47485->47010 47486->47034 47487->47021 47489->47066 47490->46869 47493 41b556 LoadResource LockResource SizeofResource 47492->47493 47494 40f419 47492->47494 47493->47494 47494->47100 47496 4020b7 28 API calls 47495->47496 47497 406e27 47496->47497 47497->47111 47503 40423a 47498->47503 47501->47133 47502->47114 47504 404243 47503->47504 47505 4023ce 11 API calls 47504->47505 47506 40424e 47505->47506 47507 402569 28 API calls 47506->47507 47508 4041b5 47507->47508 47508->47133 47509->47135 47513 4032aa 47511->47513 47512 4032c9 47512->47147 47513->47512 47515 4028e8 28 API calls 47513->47515 47515->47512 47517 4051fb 47516->47517 47526 405274 47517->47526 47519 405208 47519->47150 47521 402061 47520->47521 47522 4023ce 11 API calls 47521->47522 47523 40207b 47522->47523 47550 40267a 47523->47550 47527 405282 47526->47527 47528 405288 47527->47528 47529 40529e 47527->47529 47537 4025f0 47528->47537 47530 4052f5 47529->47530 47531 4052b6 47529->47531 47547 4028a4 22 API calls 47530->47547 47536 40529c 47531->47536 47546 4028e8 28 API calls 47531->47546 47536->47519 47538 402888 22 API calls 47537->47538 47539 402602 47538->47539 47540 402672 47539->47540 47541 402629 47539->47541 47549 4028a4 22 API calls 47540->47549 47545 40263b 47541->47545 47548 4028e8 28 API calls 47541->47548 47545->47536 47546->47536 47548->47545 47551 40268b 47550->47551 47552 4023ce 11 API calls 47551->47552 47553 40208d 47552->47553 47553->47153 47554->47161 47555->47163 47558 41b362 47557->47558 47559 41c055 GetCurrentProcess IsWow64Process 47557->47559 47561 4135e1 RegOpenKeyExA 47558->47561 47559->47558 47560 41c06c 47559->47560 47560->47558 47562 41360f RegQueryValueExA RegCloseKey 47561->47562 47563 413639 47561->47563 47562->47563 47564 402093 28 API calls 47563->47564 47565 41364e 47564->47565 47565->47174 47566->47182 47568 40b947 47567->47568 47573 402252 47568->47573 47570 40b952 47577 40b967 47570->47577 47572 40b961 47572->47193 47574 4022ac 47573->47574 47575 40225c 47573->47575 47574->47570 47575->47574 47584 402779 11 API calls std::_Deallocate 47575->47584 47578 40b9a1 47577->47578 47579 40b973 47577->47579 47596 4028a4 22 API calls 47578->47596 47585 4027e6 47579->47585 47583 40b97d 47583->47572 47584->47574 47586 4027ef 47585->47586 47587 402851 47586->47587 47588 4027f9 47586->47588 47598 4028a4 22 API calls 47587->47598 47591 402802 47588->47591 47594 402815 47588->47594 47597 402aea 28 API calls __EH_prolog 47591->47597 47592 402813 47592->47583 47594->47592 47595 402252 11 API calls 47594->47595 47595->47592 47597->47592 47599->47202 47601 402347 47600->47601 47602 402252 11 API calls 47601->47602 47603 4023c7 47602->47603 47603->47202 47605 4024f9 47604->47605 47606 40250a 28 API calls 47605->47606 47607 4020b1 47606->47607 47607->46944 47624 43ba8a 47608->47624 47610 43aed0 47630 43a837 36 API calls 3 library calls 47610->47630 47612 43ae95 47612->47610 47613 43aeaa 47612->47613 47623 43aeaf pre_c_initialization 47612->47623 47629 44062d 20 API calls _free 47613->47629 47616 43aedc 47617 43af0b 47616->47617 47631 43bacf 40 API calls __Tolower 47616->47631 47620 43af77 47617->47620 47632 43ba36 20 API calls 2 library calls 47617->47632 47633 43ba36 20 API calls 2 library calls 47620->47633 47621 43b03e _swprintf 47621->47623 47634 44062d 20 API calls _free 47621->47634 47623->47231 47625 43baa2 47624->47625 47626 43ba8f 47624->47626 47625->47612 47635 44062d 20 API calls _free 47626->47635 47628 43ba94 pre_c_initialization 47628->47612 47629->47623 47630->47616 47631->47616 47632->47620 47633->47621 47634->47623 47635->47628 47642 401fb0 47636->47642 47638 402f1e 47639 402055 11 API calls 47638->47639 47640 402f2d 47639->47640 47640->47245 47641->47248 47643 4025f0 28 API calls 47642->47643 47644 401fbd 47643->47644 47644->47638 47646 40a162 47645->47646 47647 413584 3 API calls 47646->47647 47648 40a169 47647->47648 47649 40a197 47648->47649 47650 40a17d 47648->47650 47666 409097 47649->47666 47651 40a182 47650->47651 47652 409ed6 47650->47652 47655 409097 28 API calls 47651->47655 47652->46995 47657 40a190 47655->47657 47694 40a268 29 API calls 47657->47694 47659 40a195 47659->47652 47660->47273 47845 403222 47661->47845 47663 403022 47849 403262 47663->47849 47667 4090ad 47666->47667 47668 402252 11 API calls 47667->47668 47669 4090c7 47668->47669 47695 404267 47669->47695 47671 4090d5 47672 40a1b4 47671->47672 47707 40b927 47672->47707 47675 40a205 47677 402093 28 API calls 47675->47677 47676 40a1dd 47678 402093 28 API calls 47676->47678 47679 40a210 47677->47679 47680 40a1e7 47678->47680 47681 402093 28 API calls 47679->47681 47682 41bcef 28 API calls 47680->47682 47684 40a21f 47681->47684 47683 40a1f5 47682->47683 47711 40b19f 31 API calls ___std_exception_copy 47683->47711 47686 41b580 80 API calls 47684->47686 47688 40a224 CreateThread 47686->47688 47687 40a1fc 47689 401fd8 11 API calls 47687->47689 47690 40a24b CreateThread 47688->47690 47691 40a23f CreateThread 47688->47691 47719 40a2b8 47688->47719 47689->47675 47692 401f09 11 API calls 47690->47692 47716 40a2c4 47690->47716 47691->47690 47713 40a2a2 47691->47713 47693 40a25f 47692->47693 47693->47652 47694->47659 47844 40a2ae 164 API calls 47694->47844 47696 402888 22 API calls 47695->47696 47697 40427b 47696->47697 47698 404290 47697->47698 47699 4042a5 47697->47699 47705 4042df 22 API calls 47698->47705 47700 4027e6 28 API calls 47699->47700 47704 4042a3 47700->47704 47702 404299 47706 402c48 22 API calls 47702->47706 47704->47671 47705->47702 47706->47704 47708 40b930 47707->47708 47709 40a1d2 47707->47709 47712 40b9a7 28 API calls 47708->47712 47709->47675 47709->47676 47711->47687 47712->47709 47722 40a2f3 47713->47722 47752 40ad11 47716->47752 47794 40a761 47719->47794 47723 40a30c GetModuleHandleA SetWindowsHookExA 47722->47723 47724 40a36e GetMessageA 47722->47724 47723->47724 47726 40a328 GetLastError 47723->47726 47725 40a380 TranslateMessage DispatchMessageA 47724->47725 47736 40a2ab 47724->47736 47725->47724 47725->47736 47737 41bc1f 47726->47737 47743 441ed1 47737->47743 47740 402093 28 API calls 47741 40a339 47740->47741 47742 4052fd 28 API calls 47741->47742 47744 441edd 47743->47744 47747 441ccd 47744->47747 47746 41bc43 47746->47740 47748 441ce4 47747->47748 47750 441d1b pre_c_initialization 47748->47750 47751 44062d 20 API calls _free 47748->47751 47750->47746 47751->47750 47759 40ad1f 47752->47759 47753 40a2cd 47754 40ad79 Sleep GetForegroundWindow GetWindowTextLengthW 47755 40b93f 28 API calls 47754->47755 47755->47759 47759->47753 47759->47754 47761 41bb77 GetLastInputInfo GetTickCount 47759->47761 47762 40adbf GetWindowTextW 47759->47762 47764 401f09 11 API calls 47759->47764 47765 40af17 47759->47765 47766 40b927 28 API calls 47759->47766 47768 40ae84 Sleep 47759->47768 47769 441ed1 20 API calls 47759->47769 47771 402093 28 API calls 47759->47771 47775 40ae0c 47759->47775 47776 406383 28 API calls 47759->47776 47778 403014 28 API calls 47759->47778 47779 41bcef 28 API calls 47759->47779 47780 40a671 12 API calls 47759->47780 47781 401fd8 11 API calls 47759->47781 47782 43445a EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 47759->47782 47783 401f86 47759->47783 47787 434801 23 API calls __onexit 47759->47787 47788 43441b SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_footer 47759->47788 47789 40907f 28 API calls 47759->47789 47791 40b9b7 28 API calls 47759->47791 47792 40b783 40 API calls 2 library calls 47759->47792 47793 4052fd 28 API calls 47759->47793 47761->47759 47762->47759 47764->47759 47767 401f09 11 API calls 47765->47767 47766->47759 47767->47753 47768->47759 47769->47759 47771->47759 47773 409097 28 API calls 47773->47775 47775->47759 47775->47773 47790 40b19f 31 API calls ___std_exception_copy 47775->47790 47776->47759 47778->47759 47779->47759 47780->47759 47781->47759 47784 401f8e 47783->47784 47785 402252 11 API calls 47784->47785 47786 401f99 47785->47786 47786->47759 47787->47759 47788->47759 47789->47759 47790->47775 47791->47759 47792->47759 47795 40a776 Sleep 47794->47795 47818 40a6b0 47795->47818 47797 40a2c1 47798 40a7b6 CreateDirectoryW 47800 40a788 47798->47800 47799 40a7c7 GetFileAttributesW 47799->47800 47800->47795 47800->47797 47800->47798 47800->47799 47801 40a7de SetFileAttributesW 47800->47801 47802 4020df 11 API calls 47800->47802 47804 40a858 PathFileExistsW 47800->47804 47805 401e65 22 API calls 47800->47805 47807 4020b7 28 API calls 47800->47807 47809 40a961 SetFileAttributesW 47800->47809 47814 406e13 28 API calls 47800->47814 47817 401fd8 11 API calls 47800->47817 47831 41c482 47800->47831 47842 41c583 CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 47800->47842 47801->47800 47802->47800 47804->47800 47812 40a863 47804->47812 47805->47800 47806 4020df 11 API calls 47806->47812 47807->47800 47809->47800 47810 401fd8 11 API calls 47810->47800 47811 406e13 28 API calls 47811->47812 47812->47806 47812->47810 47812->47811 47813 401fe2 28 API calls 47812->47813 47815 401fd8 11 API calls 47812->47815 47841 41c516 32 API calls 47812->47841 47813->47812 47814->47800 47815->47812 47817->47800 47819 40a75d 47818->47819 47821 40a6c6 47818->47821 47819->47800 47820 40a6e5 CreateFileW 47820->47821 47822 40a6f3 GetFileSize 47820->47822 47821->47820 47823 40a728 CloseHandle 47821->47823 47824 40a73a 47821->47824 47825 40a716 47821->47825 47826 40a71d Sleep 47821->47826 47822->47821 47822->47823 47823->47821 47824->47819 47828 409097 28 API calls 47824->47828 47843 40b117 84 API calls 47825->47843 47826->47823 47829 40a756 47828->47829 47830 40a1b4 125 API calls 47829->47830 47830->47819 47832 41c495 CreateFileW 47831->47832 47834 41c4d2 47832->47834 47835 41c4ce 47832->47835 47836 41c4f2 WriteFile 47834->47836 47837 41c4d9 SetFilePointer 47834->47837 47835->47800 47839 41c505 47836->47839 47840 41c507 CloseHandle 47836->47840 47837->47836 47838 41c4e9 CloseHandle 47837->47838 47838->47835 47839->47840 47840->47835 47841->47812 47842->47800 47843->47826 47846 40322e 47845->47846 47855 403618 47846->47855 47848 40323b 47848->47663 47850 40326e 47849->47850 47851 402252 11 API calls 47850->47851 47852 403288 47851->47852 47853 402336 11 API calls 47852->47853 47854 403031 47853->47854 47854->47277 47856 403626 47855->47856 47857 403644 47856->47857 47858 40362c 47856->47858 47860 40365c 47857->47860 47861 40369e 47857->47861 47866 4036a6 28 API calls 47858->47866 47863 4027e6 28 API calls 47860->47863 47865 403642 47860->47865 47867 4028a4 22 API calls 47861->47867 47863->47865 47865->47848 47866->47865 47869 404186 47868->47869 47870 402252 11 API calls 47869->47870 47871 404191 47870->47871 47879 4041bc 47871->47879 47874 4042fc 47890 404353 47874->47890 47876 40430a 47877 403262 11 API calls 47876->47877 47878 404319 47877->47878 47878->47286 47880 4041c8 47879->47880 47883 4041d9 47880->47883 47882 40419c 47882->47874 47884 4041e9 47883->47884 47885 404206 47884->47885 47887 4041ef 47884->47887 47886 4027e6 28 API calls 47885->47886 47889 404204 47886->47889 47888 404267 28 API calls 47887->47888 47888->47889 47889->47882 47891 40435f 47890->47891 47894 404371 47891->47894 47893 40436d 47893->47876 47895 40437f 47894->47895 47896 404385 47895->47896 47897 40439e 47895->47897 47960 4034e6 28 API calls 47896->47960 47898 402888 22 API calls 47897->47898 47899 4043a6 47898->47899 47901 404419 47899->47901 47902 4043bf 47899->47902 47961 4028a4 22 API calls 47901->47961 47904 4027e6 28 API calls 47902->47904 47907 40439c 47902->47907 47904->47907 47907->47893 47960->47907 47968 43ab1a 47962->47968 47966 4138ca RegSetValueExA RegCloseKey 47965->47966 47967 4138f4 47965->47967 47966->47967 47967->47302 47971 43aa9b 47968->47971 47970 40170d 47970->47304 47972 43aaaa 47971->47972 47973 43aabe 47971->47973 47977 44062d 20 API calls _free 47972->47977 47976 43aaaf pre_c_initialization __alldvrm 47973->47976 47978 4489d7 11 API calls 2 library calls 47973->47978 47976->47970 47977->47976 47978->47976 47982 41b98a ctype ___scrt_get_show_window_mode 47979->47982 47980 402093 28 API calls 47981 414f84 47980->47981 47981->47311 47982->47980 47983->47328 47985 414f33 47984->47985 47986 414f3d getaddrinfo WSASetLastError 47984->47986 48125 414dc1 29 API calls ___std_exception_copy 47985->48125 47986->47381 47988 414f38 47988->47986 47990 404846 socket 47989->47990 47991 404839 47989->47991 47993 404860 CreateEventW 47990->47993 47994 404842 47990->47994 48126 40489e WSAStartup 47991->48126 47993->47381 47994->47381 47995 40483e 47995->47990 47995->47994 47997 404f65 47996->47997 47998 404fea 47996->47998 47999 404f6e 47997->47999 48000 404fc0 CreateEventA CreateThread 47997->48000 48001 404f7d GetLocalTime 47997->48001 47998->47381 47999->48000 48000->47998 48128 405150 48000->48128 48002 41bc1f 28 API calls 48001->48002 48003 404f91 48002->48003 48127 4052fd 28 API calls 48003->48127 48012 404a1b 48011->48012 48013 4048ee 48011->48013 48014 40497e 48012->48014 48015 404a21 WSAGetLastError 48012->48015 48013->48014 48016 404923 48013->48016 48019 40531e 28 API calls 48013->48019 48014->47381 48015->48014 48017 404a31 48015->48017 48132 420cf1 27 API calls 48016->48132 48020 404932 48017->48020 48021 404a36 48017->48021 48024 40490f 48019->48024 48027 402093 28 API calls 48020->48027 48137 41cb72 30 API calls 48021->48137 48023 40492b 48023->48020 48026 404941 48023->48026 48028 402093 28 API calls 48024->48028 48025 404a40 48138 4052fd 28 API calls 48025->48138 48036 404950 48026->48036 48037 404987 48026->48037 48031 404a80 48027->48031 48029 40491e 48028->48029 48032 41b580 80 API calls 48029->48032 48034 402093 28 API calls 48031->48034 48032->48016 48038 404a8f 48034->48038 48042 402093 28 API calls 48036->48042 48134 421ad1 54 API calls 48037->48134 48039 41b580 80 API calls 48038->48039 48039->48014 48045 40495f 48042->48045 48044 40498f 48047 4049c4 48044->48047 48048 404994 48044->48048 48049 402093 28 API calls 48045->48049 48136 420e97 28 API calls 48047->48136 48052 402093 28 API calls 48048->48052 48053 40496e 48049->48053 48055 4049a3 48052->48055 48056 41b580 80 API calls 48053->48056 48054 4049cc 48058 4049f9 CreateEventW CreateEventW 48054->48058 48060 402093 28 API calls 48054->48060 48059 402093 28 API calls 48055->48059 48057 404973 48056->48057 48133 41e7a2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48057->48133 48058->48014 48061 4049b2 48059->48061 48063 4049e2 48060->48063 48064 41b580 80 API calls 48061->48064 48065 402093 28 API calls 48063->48065 48066 4049b7 48064->48066 48067 4049f1 48065->48067 48135 421143 52 API calls 48066->48135 48069 41b580 80 API calls 48067->48069 48070 4049f6 48069->48070 48070->48058 48139 41b847 GlobalMemoryStatusEx 48071->48139 48073 41b886 48073->47381 48140 4145bb 48074->48140 48078 40dde0 48077->48078 48079 41353a 3 API calls 48078->48079 48081 40dde7 48079->48081 48080 40ddff 48080->47381 48081->48080 48082 413584 3 API calls 48081->48082 48082->48080 48084 4020b7 28 API calls 48083->48084 48085 41bce8 48084->48085 48085->47381 48087 41bdbc 48086->48087 48088 4020b7 28 API calls 48087->48088 48089 41bdce 48088->48089 48089->47381 48090->47395 48092 436f10 ___scrt_get_show_window_mode 48091->48092 48093 41bb46 GetForegroundWindow GetWindowTextW 48092->48093 48094 40417e 28 API calls 48093->48094 48095 41bb70 48094->48095 48095->47395 48097 402093 28 API calls 48096->48097 48098 40f931 48097->48098 48098->47395 48099->47395 48101 4020df 11 API calls 48100->48101 48102 404c27 48101->48102 48103 4020df 11 API calls 48102->48103 48110 404c30 48103->48110 48104 43bda0 ___std_exception_copy 21 API calls 48104->48110 48106 404c96 48108 404ca1 48106->48108 48106->48110 48107 4020b7 28 API calls 48107->48110 48191 404e26 99 API calls 48108->48191 48109 401fe2 28 API calls 48109->48110 48110->48104 48110->48106 48110->48107 48110->48109 48112 401fd8 11 API calls 48110->48112 48178 404cc3 48110->48178 48190 404b96 57 API calls 48110->48190 48112->48110 48113 404ca8 48114 401fd8 11 API calls 48113->48114 48115 404cb1 48114->48115 48116 401fd8 11 API calls 48115->48116 48117 404cba 48116->48117 48117->47357 48119->47381 48120->47357 48122->47395 48123->47357 48124->47357 48125->47988 48126->47995 48131 40515c 102 API calls 48128->48131 48130 405159 48131->48130 48132->48023 48133->48014 48134->48044 48135->48057 48136->48054 48137->48025 48139->48073 48143 41458e 48140->48143 48144 4145a3 ___scrt_initialize_default_local_stdio_options 48143->48144 48147 43f7ed 48144->48147 48150 43c540 48147->48150 48151 43c580 48150->48151 48152 43c568 48150->48152 48151->48152 48154 43c588 48151->48154 48172 44062d 20 API calls _free 48152->48172 48173 43a837 36 API calls 3 library calls 48154->48173 48155 43c56d pre_c_initialization 48165 43502b 48155->48165 48157 43c598 48174 43ccc6 20 API calls 2 library calls 48157->48174 48160 43c610 48175 43d334 51 API calls 3 library calls 48160->48175 48161 4145b1 48161->47381 48164 43c61b 48176 43cd30 20 API calls _free 48164->48176 48166 435036 IsProcessorFeaturePresent 48165->48166 48167 435034 48165->48167 48169 435078 48166->48169 48167->48161 48177 43503c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 48169->48177 48171 43515b 48171->48161 48172->48155 48173->48157 48174->48160 48175->48164 48176->48155 48177->48171 48179 4020df 11 API calls 48178->48179 48188 404cde 48179->48188 48180 404e13 48181 401fd8 11 API calls 48180->48181 48182 404e1c 48181->48182 48182->48106 48183 401fd8 11 API calls 48183->48188 48184 4020f6 28 API calls 48184->48188 48185 401fc0 28 API calls 48186 404dad CreateEventA CreateThread WaitForSingleObject CloseHandle 48185->48186 48186->48188 48192 415b25 48186->48192 48187 4041a2 28 API calls 48187->48188 48188->48180 48188->48183 48188->48184 48188->48185 48188->48187 48189 401fe2 28 API calls 48188->48189 48189->48188 48190->48110 48191->48113 48193 4020f6 28 API calls 48192->48193 48194 415b47 SetEvent 48193->48194 48195 415b5c 48194->48195 48196 4041a2 28 API calls 48195->48196 48197 415b76 48196->48197 48198 4020f6 28 API calls 48197->48198 48199 415b86 48198->48199 48200 4020f6 28 API calls 48199->48200 48201 415b98 48200->48201 48202 41beac 28 API calls 48201->48202 48203 415ba1 48202->48203 48204 4170c4 48203->48204 48205 415bc1 GetTickCount 48203->48205 48206 415d6a 48203->48206 48207 401e8d 11 API calls 48204->48207 48208 41bc1f 28 API calls 48205->48208 48206->48204 48266 415d20 48206->48266 48209 4170cd 48207->48209 48210 415bd2 48208->48210 48212 401fd8 11 API calls 48209->48212 48271 41bb77 GetLastInputInfo GetTickCount 48210->48271 48215 4170d9 48212->48215 48214 415d04 48214->48204 48217 401fd8 11 API calls 48215->48217 48216 415bde 48218 41bc1f 28 API calls 48216->48218 48219 4170e5 48217->48219 48220 415be9 48218->48220 48221 41bb27 30 API calls 48220->48221 48222 415bf7 48221->48222 48223 41bdaf 28 API calls 48222->48223 48224 415c05 48223->48224 48225 401e65 22 API calls 48224->48225 48226 415c13 48225->48226 48272 402f31 28 API calls 48226->48272 48228 415c21 48273 402ea1 28 API calls 48228->48273 48230 415c30 48231 402f10 28 API calls 48230->48231 48232 415c3f 48231->48232 48274 402ea1 28 API calls 48232->48274 48234 415c4e 48235 402f10 28 API calls 48234->48235 48236 415c5a 48235->48236 48275 402ea1 28 API calls 48236->48275 48238 415c64 48276 404aa1 61 API calls ctype 48238->48276 48240 415c73 48241 401fd8 11 API calls 48240->48241 48242 415c7c 48241->48242 48243 401fd8 11 API calls 48242->48243 48244 415c88 48243->48244 48245 401fd8 11 API calls 48244->48245 48246 415c94 48245->48246 48247 401fd8 11 API calls 48246->48247 48248 415ca0 48247->48248 48249 401fd8 11 API calls 48248->48249 48250 415cac 48249->48250 48251 401fd8 11 API calls 48250->48251 48252 415cb8 48251->48252 48253 401f09 11 API calls 48252->48253 48254 415cc1 48253->48254 48255 401fd8 11 API calls 48254->48255 48256 415cca 48255->48256 48257 401fd8 11 API calls 48256->48257 48258 415cd3 48257->48258 48259 401e65 22 API calls 48258->48259 48260 415cde 48259->48260 48261 43bb2c 40 API calls 48260->48261 48262 415ceb 48261->48262 48263 415cf0 48262->48263 48264 415d16 48262->48264 48267 415d09 48263->48267 48268 415cfe 48263->48268 48265 401e65 22 API calls 48264->48265 48265->48266 48266->48204 48278 4050e4 84 API calls 48266->48278 48270 404f51 105 API calls 48267->48270 48277 404ff4 82 API calls 48268->48277 48270->48214 48271->48216 48272->48228 48273->48230 48274->48234 48275->48238 48276->48240 48277->48214 48278->48214 48280->47430 48281->47456 48282->47455 48283->47445 48284->47449 48285->47457 48288 40f7fd 48286->48288 48287 413584 3 API calls 48287->48288 48288->48287 48289 40f8a1 48288->48289 48291 40f891 Sleep 48288->48291 48308 40f82f 48288->48308 48292 409097 28 API calls 48289->48292 48290 409097 28 API calls 48290->48308 48291->48288 48295 40f8ac 48292->48295 48294 41bcef 28 API calls 48294->48308 48296 41bcef 28 API calls 48295->48296 48297 40f8b8 48296->48297 48321 41384f 14 API calls 48297->48321 48300 401f09 11 API calls 48300->48308 48301 40f8cb 48302 401f09 11 API calls 48301->48302 48304 40f8d7 48302->48304 48303 402093 28 API calls 48303->48308 48305 402093 28 API calls 48304->48305 48306 40f8e8 48305->48306 48309 4137aa 14 API calls 48306->48309 48307 4137aa 14 API calls 48307->48308 48308->48290 48308->48291 48308->48294 48308->48300 48308->48303 48308->48307 48319 40d0d1 112 API calls ___scrt_get_show_window_mode 48308->48319 48320 41384f 14 API calls 48308->48320 48310 40f8fb 48309->48310 48322 41288b TerminateProcess WaitForSingleObject 48310->48322 48312 40f903 ExitProcess 48323 412829 62 API calls 48313->48323 48320->48308 48321->48301 48322->48312 48324 42f97e 48325 42f989 48324->48325 48326 42f99d 48325->48326 48328 432f7f 48325->48328 48329 432f8a 48328->48329 48330 432f8e 48328->48330 48329->48326 48332 440f5d 48330->48332 48333 446206 48332->48333 48334 446213 48333->48334 48335 44621e 48333->48335 48336 4461b8 ___crtLCMapStringA 21 API calls 48334->48336 48337 446226 48335->48337 48343 44622f __Getctype 48335->48343 48341 44621b 48336->48341 48338 446802 _free 20 API calls 48337->48338 48338->48341 48339 446234 48345 44062d 20 API calls _free 48339->48345 48340 446259 RtlReAllocateHeap 48340->48341 48340->48343 48341->48329 48343->48339 48343->48340 48346 443001 7 API calls 2 library calls 48343->48346 48345->48341 48346->48343 48347 426cdc 48352 426d59 send 48347->48352 48353 41e04e 48354 41e063 ctype ___scrt_get_show_window_mode 48353->48354 48356 432f55 21 API calls 48354->48356 48366 41e266 48354->48366 48360 41e213 ___scrt_get_show_window_mode 48356->48360 48357 41e277 48358 41e21a 48357->48358 48359 432f55 21 API calls 48357->48359 48362 41e2b0 ___scrt_get_show_window_mode 48359->48362 48360->48358 48361 432f55 21 API calls 48360->48361 48364 41e240 ___scrt_get_show_window_mode 48361->48364 48362->48358 48368 4335db 48362->48368 48364->48358 48365 432f55 21 API calls 48364->48365 48365->48366 48366->48358 48367 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 48366->48367 48367->48357 48371 4334fa 48368->48371 48370 4335e3 48370->48358 48372 433513 48371->48372 48375 433509 48371->48375 48373 432f55 21 API calls 48372->48373 48372->48375 48374 433534 48373->48374 48374->48375 48377 4338c8 CryptAcquireContextA 48374->48377 48375->48370 48378 4338e4 48377->48378 48379 4338e9 CryptGenRandom 48377->48379 48378->48375 48379->48378 48380 4338fe CryptReleaseContext 48379->48380 48380->48378 48381 426c6d 48387 426d42 recv 48381->48387

                                      Executed Functions

                                      Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                      • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                      • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                      • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                      • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                      • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                      • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                      • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                      • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                      • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                      • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                      • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                      • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                      • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                      • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                      • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                      • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                      • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad$HandleModule
                                      • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                      • API String ID: 4236061018-3687161714
                                      • Opcode ID: 5fded5d77b72a202610b087cc82529c2f7d7b10a8ab2824fd38dfad8e3bd9f71
                                      • Instruction ID: 9b463eec3a0437fb1f175c53e93b0f4db36c95b88d1cb607187732a7b05a7934
                                      • Opcode Fuzzy Hash: 5fded5d77b72a202610b087cc82529c2f7d7b10a8ab2824fd38dfad8e3bd9f71
                                      • Instruction Fuzzy Hash: E2418BA0E8035879DB207BB65D89E3B3E5CD9857953614837B44C93550EBBCEC408EAE
                                      Function 0040EA00 Relevance: 67.3, APIs: 15, Strings: 23, Instructions: 795COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 49 40ef2d-40ef3e call 401fd8 22->49 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 100 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->100 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 79->80 98 40ec27-40ec3d call 401fab call 4139e4 79->98 88 40ec47-40ec49 80->88 89 40ec4e-40ec55 80->89 92 40ef2c 88->92 93 40ec57 89->93 94 40ec59-40ec65 call 41b354 89->94 92->49 93->94 104 40ec67-40ec69 94->104 105 40ec6e-40ec72 94->105 98->80 126 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 100->126 104->105 108 40ecb1-40ecc4 call 401e65 call 401fab 105->108 109 40ec74 call 407751 105->109 127 40ecc6 call 407790 108->127 128 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->128 118 40ec79-40ec7b 109->118 120 40ec87-40ec9a call 401e65 call 401fab 118->120 121 40ec7d-40ec82 call 407773 call 40729b 118->121 120->108 141 40ec9c-40eca2 120->141 121->120 156 40f3e0-40f3ea call 40dd7d call 414f65 126->156 127->128 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 128->177 178 40edbb-40edbf 128->178 141->108 144 40eca4-40ecaa 141->144 144->108 147 40ecac call 40729b 144->147 147->108 177->178 203 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->203 179 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->179 180 40edc5-40edcc 178->180 234 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 179->234 182 40ee4a-40ee54 call 409092 180->182 183 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 180->183 193 40ee59-40ee7d call 40247c call 434829 182->193 183->193 211 40ee8c 193->211 212 40ee7f-40ee8a call 436f10 193->212 203->178 217 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 211->217 212->217 271 40eede-40ef03 call 434832 call 401e65 call 40b9f8 217->271 286 40f017-40f019 234->286 287 40effc 234->287 271->234 288 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 271->288 290 40f01b-40f01d 286->290 291 40f01f 286->291 289 40effe-40f015 call 41ce2c CreateThread 287->289 288->234 306 40ef2a 288->306 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 306->92 346 40f13e-40f156 call 401e65 call 401fab 344->346 345->346 356 40f194-40f1a7 call 401e65 call 401fab 346->356 357 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 346->357 367 40f207-40f21a call 401e65 call 401fab 356->367 368 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 356->368 357->356 379 40f255-40f279 call 41b69e call 401f13 call 401f09 367->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 367->380 368->367 400 40f27b-40f27c SetProcessDEPPolicy 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 416 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->416 417 40f2c2-40f2c7 413->417 418 40f307-40f31a call 401fab call 41353a 413->418 416->418 417->416 426 40f31f-40f322 418->426 426->156 427 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 426->427 443 40f381-40f386 DeleteFileW 427->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->126 445->126 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                      APIs
                                        • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                        • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                        • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                        • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                        • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                        • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                        • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                        • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                        • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                        • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                        • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                        • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                        • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                        • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                        • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                        • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe,00000104), ref: 0040EA29
                                        • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                      • String ID: (TG$,aF$,aF$@*|$Access Level: $Administrator$C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe$Exe$Exe$HSG$HSG$Inj$Remcos Agent initialized$Software\$User$`SG$del$del$exepath$licence$license_code.txt$shilajit-ISLNRR$tMG
                                      • API String ID: 2830904901-2494226662
                                      • Opcode ID: f976f17ee8bb52e0d4b82a9473b60eebd4c4dbdb3f227a753039268697e419d9
                                      • Instruction ID: 744eeac4272eceb7f63ef51a6efbfa797c3f505d1bd04c543663c5f487e0f2b9
                                      • Opcode Fuzzy Hash: f976f17ee8bb52e0d4b82a9473b60eebd4c4dbdb3f227a753039268697e419d9
                                      • Instruction Fuzzy Hash: 7D32D860B043416BDA14B7729C57B6E26994F80748F40483FB9467F2E3EEBD8D45839E
                                      Function 0040A2F3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1260 40a2f3-40a30a 1261 40a30c-40a326 GetModuleHandleA SetWindowsHookExA 1260->1261 1262 40a36e-40a37e GetMessageA 1260->1262 1261->1262 1265 40a328-40a36c GetLastError call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1261->1265 1263 40a380-40a398 TranslateMessage DispatchMessageA 1262->1263 1264 40a39a 1262->1264 1263->1262 1263->1264 1266 40a39c-40a3a1 1264->1266 1265->1266
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                      • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                      • GetLastError.KERNEL32 ref: 0040A328
                                        • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                      • TranslateMessage.USER32(?), ref: 0040A385
                                      • DispatchMessageA.USER32(?), ref: 0040A390
                                      Strings
                                      • Keylogger initialization failure: error , xrefs: 0040A33C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                      • String ID: Keylogger initialization failure: error
                                      • API String ID: 3219506041-952744263
                                      • Opcode ID: ec6ea0f8fe23a749d8e8acf9f7cc52a99e5dbd3939ef256a600925548c7b7f6b
                                      • Instruction ID: bc7b44719e59224dfa2ccda8cade24f8ec1ba8a069f7aee67aec650331f950b6
                                      • Opcode Fuzzy Hash: ec6ea0f8fe23a749d8e8acf9f7cc52a99e5dbd3939ef256a600925548c7b7f6b
                                      • Instruction Fuzzy Hash: 8911C131510301EBC710BB769C0986B77ACEB95715B20097EFC82E22D1FB34C910CBAA
                                      Function 0040F7E2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                        • Part of subcall function 00413584: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00475300), ref: 004135C2
                                        • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                      • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                      • ExitProcess.KERNEL32 ref: 0040F905
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseExitOpenProcessQuerySleepValue
                                      • String ID: 5.2.0 Pro$@*|$override$pth_unenc
                                      • API String ID: 2281282204-1172116562
                                      • Opcode ID: 3c03a218c075b6ec39c216bc398aa57ef6cd9b47273f335186667c9805b65560
                                      • Instruction ID: 0454f1d730b8de97e77b6af0221289a353f5645d6d0bcfbcd4472c6607f37e61
                                      • Opcode Fuzzy Hash: 3c03a218c075b6ec39c216bc398aa57ef6cd9b47273f335186667c9805b65560
                                      • Instruction Fuzzy Hash: 7421E171B0420127D6087676885B6AE399A9B80708F50453FF409672D6FF7C8E0483AF
                                      Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1324 41b411-41b454 call 4020df call 43bda0 InternetOpenW InternetOpenUrlW 1329 41b456-41b477 InternetReadFile 1324->1329 1330 41b479-41b499 call 4020b7 call 403376 call 401fd8 1329->1330 1331 41b49d-41b4a0 1329->1331 1330->1331 1332 41b4a2-41b4a4 1331->1332 1333 41b4a6-41b4b3 InternetCloseHandle * 2 call 43bd9b 1331->1333 1332->1329 1332->1333 1337 41b4b8-41b4c2 1333->1337
                                      APIs
                                      • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                      • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                      • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                      • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                      • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                      Strings
                                      • http://geoplugin.net/json.gp, xrefs: 0041B448
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleOpen$FileRead
                                      • String ID: http://geoplugin.net/json.gp
                                      • API String ID: 3121278467-91888290
                                      • Opcode ID: f8b7b88f44e13cfdc63bd17292d54b3b7b9fb09318b10958e004bbca1d27f117
                                      • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                      • Opcode Fuzzy Hash: f8b7b88f44e13cfdc63bd17292d54b3b7b9fb09318b10958e004bbca1d27f117
                                      • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                      Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(00000001,00474EF0,004755A8,?,?,?,?,00415D11,?,00000001), ref: 00404F81
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF0,004755A8,?,?,?,?,00415D11,?,00000001), ref: 00404FCD
                                      • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                      Strings
                                      • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create$EventLocalThreadTime
                                      • String ID: KeepAlive | Enabled | Timeout:
                                      • API String ID: 2532271599-1507639952
                                      • Opcode ID: 066d78ba7818bee30ed95e00d6410b7cbfa006029d83974b6d81b45a693dc474
                                      • Instruction ID: 4df055e7b18788cc2e6f6b282d58d8d1f041b9f055d7d752625e2c9c7705ec55
                                      • Opcode Fuzzy Hash: 066d78ba7818bee30ed95e00d6410b7cbfa006029d83974b6d81b45a693dc474
                                      • Instruction Fuzzy Hash: D7110A71900385BAC720A7779C0DEABBFACDBD2714F04046FF54162291D6B89445CBBA
                                      Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,007E9370), ref: 004338DA
                                      • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                      • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Crypt$Context$AcquireRandomRelease
                                      • String ID:
                                      • API String ID: 1815803762-0
                                      • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                      • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                      • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                      • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                      Function 0041B69E Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750F4), ref: 0041B6BB
                                      • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Name$ComputerUser
                                      • String ID:
                                      • API String ID: 4229901323-0
                                      • Opcode ID: a649893464b8dc9f92fcf892b6f773fc4b962ecf36c796a43829c604b32fbd1e
                                      • Instruction ID: 96a0ba9ffe47efa01ac310f3847ceb2d7b3b0148e4494d8e74ae155582b6cc75
                                      • Opcode Fuzzy Hash: a649893464b8dc9f92fcf892b6f773fc4b962ecf36c796a43829c604b32fbd1e
                                      • Instruction Fuzzy Hash: 9E014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E888BA8
                                      Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EF0,00475A10,00474EF0,00000000,00474EF0,00000000,00474EF0,5.2.0 Pro), ref: 0040F920
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID:
                                      • API String ID: 2299586839-0
                                      • Opcode ID: 4f66370edde0bdaa3bcc008f8ea5ce22c00289683c96eec7ff0f1ed7c7935faa
                                      • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                      • Opcode Fuzzy Hash: 4f66370edde0bdaa3bcc008f8ea5ce22c00289683c96eec7ff0f1ed7c7935faa
                                      • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                      Function 00414F65 Relevance: 44.6, APIs: 5, Strings: 20, Instructions: 809sleepnetworkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 448 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 461 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 448->461 462 414faf-414fb6 Sleep 448->462 477 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->477 478 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->478 462->461 477->478 531 415127-41512e 478->531 532 415119-415125 478->532 533 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 531->533 532->533 560 415210-41521e call 40482d 533->560 561 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 533->561 567 415220-415246 call 402093 * 2 call 41b580 560->567 568 41524b-415260 call 404f51 call 4048c8 560->568 584 415ade-415af0 call 404e26 call 4021fa 561->584 567->584 583 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 568->583 568->584 648 4153bb-4153c8 call 405aa6 583->648 649 4153cd-4153f4 call 401fab call 4135e1 583->649 596 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 584->596 597 415b18-415b20 call 401e8d 584->597 596->597 597->478 648->649 655 4153f6-4153f8 649->655 656 4153fb-4157ba call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 649->656 655->656 782 4157bc call 404aa1 656->782 783 4157c1-415a45 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 782->783 901 415a4a-415a51 783->901 902 415a53-415a5a 901->902 903 415a65-415a6c 901->903 902->903 904 415a5c-415a5e 902->904 905 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 903->905 906 415a6e-415a73 call 40b08c 903->906 904->903 917 415aac-415ab8 CreateThread 905->917 918 415abe-415ad9 call 401fd8 * 2 call 401f09 905->918 906->905 917->918 918->584
                                      APIs
                                      • Sleep.KERNEL32(00000000,00000029,00475300,004750F4,00000000), ref: 00414FB6
                                      • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                      • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                        • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$ErrorLastLocalTime
                                      • String ID: | $%I64u$,aF$5.2.0 Pro$@*|$C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$HSG$TLS Off$TLS On $`SG$hlight$name$shilajit-ISLNRR$tMG
                                      • API String ID: 524882891-1760051904
                                      • Opcode ID: 79900052c1cedfcfdca54da2a4a728cafc0d46dafbcbcd06ae49b5f1d646b7e0
                                      • Instruction ID: d8c825886b0a0d8326cbfb5c9d4cc5050fd80dde9ad4bcb2ea62c87b00a1b781
                                      • Opcode Fuzzy Hash: 79900052c1cedfcfdca54da2a4a728cafc0d46dafbcbcd06ae49b5f1d646b7e0
                                      • Instruction Fuzzy Hash: 03526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                                      Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                      • WSAGetLastError.WS2_32 ref: 00404A21
                                        • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                      • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                      • API String ID: 994465650-2151626615
                                      • Opcode ID: 38b3cb5bd10e09c7b3bd40259f36f96c9113b6101ffe131655b2f6876ea9c128
                                      • Instruction ID: d7ad8a6a5323ad03425d5def7d05b30a9c8ce31cd4ccd690c712fe6c843f15aa
                                      • Opcode Fuzzy Hash: 38b3cb5bd10e09c7b3bd40259f36f96c9113b6101ffe131655b2f6876ea9c128
                                      • Instruction Fuzzy Hash: AD41E8B575060277C61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                      Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 0040AD73
                                      • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                      • GetForegroundWindow.USER32 ref: 0040AD84
                                      • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                      • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                      • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                        • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                      • String ID: [${ User has been idle for $ minutes }$]
                                      • API String ID: 911427763-3954389425
                                      • Opcode ID: f1beafbc65b67ea611c27b04d98e1104d59d3344b0708eb8d40cf24d2962f261
                                      • Instruction ID: 1462e2e3b317a3feaa81e481452c264ee2198f2d95b6ea563507fc8e19ff55dc
                                      • Opcode Fuzzy Hash: f1beafbc65b67ea611c27b04d98e1104d59d3344b0708eb8d40cf24d2962f261
                                      • Instruction Fuzzy Hash: 7F51E1716043419BC714FB62D846AAE7795AF84308F10093FF546A22E2EF7C9D44C69F
                                      Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1080 40da6f-40da94 call 401f86 1083 40da9a 1080->1083 1084 40dbbe-40dbe4 call 401f04 GetLongPathNameW call 40417e 1080->1084 1086 40dae0-40dae7 call 41c048 1083->1086 1087 40daa1-40daa6 1083->1087 1088 40db93-40db98 1083->1088 1089 40dad6-40dadb 1083->1089 1090 40dba9 1083->1090 1091 40db9a-40db9f call 43c11f 1083->1091 1092 40daab-40dab9 call 41b645 call 401f13 1083->1092 1093 40dacc-40dad1 1083->1093 1094 40db8c-40db91 1083->1094 1105 40dbe9-40dc56 call 40417e call 40de0c call 402fa5 * 2 call 401f09 * 5 1084->1105 1106 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1086->1106 1107 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1086->1107 1096 40dbae-40dbb3 call 43c11f 1087->1096 1088->1096 1089->1096 1090->1096 1102 40dba4-40dba7 1091->1102 1111 40dabe 1092->1111 1093->1096 1094->1096 1108 40dbb4-40dbb9 call 409092 1096->1108 1102->1090 1102->1108 1116 40dac2-40dac7 call 401f09 1106->1116 1107->1111 1108->1084 1111->1116 1116->1084
                                      APIs
                                      • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LongNamePath
                                      • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                      • API String ID: 82841172-425784914
                                      • Opcode ID: f4c7df661c5bec9d099b359126bde6595d68bd7cf9e1ce7f7ed169ab2082938e
                                      • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                      • Opcode Fuzzy Hash: f4c7df661c5bec9d099b359126bde6595d68bd7cf9e1ce7f7ed169ab2082938e
                                      • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                      Function 0040A761 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 163sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • Sleep.KERNEL32(00001388), ref: 0040A77B
                                        • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                        • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                        • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                        • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                      • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                      • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                        • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                      • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                      • String ID: HSG$HSG$xdF
                                      • API String ID: 3795512280-1850865910
                                      • Opcode ID: 94b06e53037e07a132a44a0c171d15b1bbffd87d4b076595ec05959e5486cbcf
                                      • Instruction ID: b4a8632174cffc949347442128fe52ffedc09667b4c22c284aa084888e76bad6
                                      • Opcode Fuzzy Hash: 94b06e53037e07a132a44a0c171d15b1bbffd87d4b076595ec05959e5486cbcf
                                      • Instruction Fuzzy Hash: AC518D716043015ACB15BB72C866ABE77AA9F80349F00483FF642B71E2DF7C9D09865E
                                      Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1342 41c482-41c493 1343 41c495-41c498 1342->1343 1344 41c4ab-41c4b2 1342->1344 1345 41c4a1-41c4a9 1343->1345 1346 41c49a-41c49f 1343->1346 1347 41c4b3-41c4cc CreateFileW 1344->1347 1345->1347 1346->1347 1348 41c4d2-41c4d7 1347->1348 1349 41c4ce-41c4d0 1347->1349 1351 41c4f2-41c503 WriteFile 1348->1351 1352 41c4d9-41c4e7 SetFilePointer 1348->1352 1350 41c510-41c515 1349->1350 1354 41c505 1351->1354 1355 41c507-41c50e CloseHandle 1351->1355 1352->1351 1353 41c4e9-41c4f0 CloseHandle 1352->1353 1353->1349 1354->1355 1355->1350
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                      • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                      • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                      • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreatePointerWrite
                                      • String ID: xpF
                                      • API String ID: 1852769593-354647465
                                      • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                      • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                      • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                      • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                      Function 0041B354 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1356 41b354-41b3ab call 41c048 call 4135e1 call 401fe2 call 401fd8 call 406b1c 1367 41b3ad-41b3bc call 4135e1 1356->1367 1368 41b3ee-41b3f7 1356->1368 1372 41b3c1-41b3d8 call 401fab StrToIntA 1367->1372 1370 41b400 1368->1370 1371 41b3f9-41b3fe 1368->1371 1373 41b405-41b410 call 40537d 1370->1373 1371->1373 1378 41b3e6-41b3e9 call 401fd8 1372->1378 1379 41b3da-41b3e3 call 41cffa 1372->1379 1378->1368 1379->1378
                                      APIs
                                        • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                        • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                        • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                        • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                        • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                      • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,004750F4,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CloseCurrentOpenQueryValueWow64
                                      • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                      • API String ID: 782494840-2070987746
                                      • Opcode ID: 40b4b818fe30f98410963cd3dc02b2c3b2616f089d502d216bf83757675de9ba
                                      • Instruction ID: 99e2d84e4b8fa31c947f893a9fcbf762d6d1118dcb79bce5eaccee633664c5dc
                                      • Opcode Fuzzy Hash: 40b4b818fe30f98410963cd3dc02b2c3b2616f089d502d216bf83757675de9ba
                                      • Instruction Fuzzy Hash: 0311C47064414926C700F7659C97BFF76198B80304F94453BF806A71D3FB6C598683EE
                                      Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1383 40a6b0-40a6c0 1384 40a6c6-40a6c8 1383->1384 1385 40a75d-40a760 1383->1385 1386 40a6cb-40a6f1 call 401f04 CreateFileW 1384->1386 1389 40a731 1386->1389 1390 40a6f3-40a701 GetFileSize 1386->1390 1393 40a734-40a738 1389->1393 1391 40a703 1390->1391 1392 40a728-40a72f CloseHandle 1390->1392 1395 40a705-40a70b 1391->1395 1396 40a70d-40a714 1391->1396 1392->1393 1393->1386 1394 40a73a-40a73d 1393->1394 1394->1385 1397 40a73f-40a746 1394->1397 1395->1392 1395->1396 1398 40a716-40a718 call 40b117 1396->1398 1399 40a71d-40a722 Sleep 1396->1399 1397->1385 1400 40a748-40a758 call 409097 call 40a1b4 1397->1400 1398->1399 1399->1392 1400->1385
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                      • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                      • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleSizeSleep
                                      • String ID: hQG
                                      • API String ID: 1958988193-4070439852
                                      • Opcode ID: bdea57dd96df53d9e829f51e58303117b441e911e19fc522471032f737d6d9df
                                      • Instruction ID: fcd55a72cf9b38ed92eee25b8fc798016c5179a181dae4a4499eb8880f316315
                                      • Opcode Fuzzy Hash: bdea57dd96df53d9e829f51e58303117b441e911e19fc522471032f737d6d9df
                                      • Instruction Fuzzy Hash: 3E113130600740AADA30A7249889A1F37BAD741356F44483EE182676D3C67DDC64C71F
                                      Function 00415B25 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CountEventTick
                                      • String ID: !D@$,aF
                                      • API String ID: 180926312-3317875915
                                      • Opcode ID: 835ff592c5993026ff64b06b2c7e29c4e321652dc365d191a4eb1ca34464d222
                                      • Instruction ID: a18c2cf71696728a803f4d48a8d0c2278a59ecc2ec6ff56e3a85b819d46b2ac8
                                      • Opcode Fuzzy Hash: 835ff592c5993026ff64b06b2c7e29c4e321652dc365d191a4eb1ca34464d222
                                      • Instruction Fuzzy Hash: 4F51B6315082019AC724FB32D852AFF73A5AF94304F50483FF546671E2EF3C5945C68A
                                      Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                      • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040A249
                                      • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040A255
                                        • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                        • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread$LocalTimewsprintf
                                      • String ID: Offline Keylogger Started
                                      • API String ID: 465354869-4114347211
                                      • Opcode ID: 8ab6887ada05f8dedd4f656d1a6307b8369bab4b1d95e8e063819601f7111091
                                      • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                      • Opcode Fuzzy Hash: 8ab6887ada05f8dedd4f656d1a6307b8369bab4b1d95e8e063819601f7111091
                                      • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                      Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                      • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,00475300,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137E1
                                      • RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137EC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateValue
                                      • String ID: pth_unenc
                                      • API String ID: 1818849710-4028850238
                                      • Opcode ID: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                                      • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                      • Opcode Fuzzy Hash: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                                      • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                      Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F60), ref: 00404DB3
                                      • CreateThread.KERNEL32(00000000,00000000,?,00474F08,00000000,00000000), ref: 00404DC7
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                      • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00404DDB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                      • String ID:
                                      • API String ID: 3360349984-0
                                      • Opcode ID: 9e0a8eaf4219b775e830663fcb54a959b6233ae16d1ef5de7dcca6256e783451
                                      • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                      • Opcode Fuzzy Hash: 9e0a8eaf4219b775e830663fcb54a959b6233ae16d1ef5de7dcca6256e783451
                                      • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                      Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                      • GetLastError.KERNEL32 ref: 0040D0BE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateErrorLastMutex
                                      • String ID: shilajit-ISLNRR
                                      • API String ID: 1925916568-195909732
                                      • Opcode ID: aba24bfd7e8b808837b934fb3074bb655e41bd047bfda9aafcf34366fa62f390
                                      • Instruction ID: 897831e38bae895769414ba5eaefcaa992d87aaaa8244aa01aad5f1db7de32a1
                                      • Opcode Fuzzy Hash: aba24bfd7e8b808837b934fb3074bb655e41bd047bfda9aafcf34366fa62f390
                                      • Instruction Fuzzy Hash: 62D012B0614301EBDB0467709C5975936559B44702F50487AB50BD95F1CBFC88D08519
                                      Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                      • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                      • RegCloseKey.KERNEL32(?), ref: 0041362D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 3677997916-0
                                      • Opcode ID: e238dbc9e2073977e027648aa5af93dfac856dda57be128719874f60decc0002
                                      • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                      • Opcode Fuzzy Hash: e238dbc9e2073977e027648aa5af93dfac856dda57be128719874f60decc0002
                                      • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                      Function 00413733 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475300), ref: 0041374F
                                      • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                      • RegCloseKey.KERNEL32(00000000), ref: 00413773
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 3677997916-0
                                      • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                      • Instruction ID: cdc8bb2f12cdea1da97e3e4d454c68039a4c25ad8704162e95ac064a0ac82555
                                      • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                      • Instruction Fuzzy Hash: C301AD7540022DFBDF215F91DC04DEB3F38EF05761F008065BE09620A1E7358AA5EB94
                                      Function 0044F45D Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 0044F461
                                      • _free.LIBCMT ref: 0044F49A
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F4A1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EnvironmentStrings$Free_free
                                      • String ID:
                                      • API String ID: 2716640707-0
                                      • Opcode ID: 0f2961337cf6473c9b59c8633065eebaee8da3dc7e8e50693e042ad6422b7f19
                                      • Instruction ID: 0fde98e0ac238faa149cd6f420f555edc5ad685e5938876998fddc3cfa248eb7
                                      • Opcode Fuzzy Hash: 0f2961337cf6473c9b59c8633065eebaee8da3dc7e8e50693e042ad6422b7f19
                                      • Instruction Fuzzy Hash: 41E0E537545A226BB211323A6C49D6F2A58CFD27B6726003BF40486242EE288D0641BA
                                      Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                      • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00475300), ref: 004135C2
                                      • RegCloseKey.KERNEL32(?), ref: 004135CD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 3677997916-0
                                      • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                      • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                      • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                      • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                      Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C1D7,00466C58), ref: 00413551
                                      • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C1D7,00466C58), ref: 00413565
                                      • RegCloseKey.KERNEL32(?,?,?,0040C1D7,00466C58), ref: 00413570
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 3677997916-0
                                      • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                      • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                      • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                      • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                      Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                      • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                      • RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateValue
                                      • String ID:
                                      • API String ID: 1818849710-0
                                      • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                      • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                      • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                      • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                      Function 0041B847 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B85B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: GlobalMemoryStatus
                                      • String ID: @
                                      • API String ID: 1890195054-2766056989
                                      • Opcode ID: 23b0e77897189e0b78fa4d1d520ef24eb5f5038ce1868e817330353f58216111
                                      • Instruction ID: 3eac6c9810fdf3f5cdd4c6aee73cb3509883e52e26c84b2cc96e0464d85798e3
                                      • Opcode Fuzzy Hash: 23b0e77897189e0b78fa4d1d520ef24eb5f5038ce1868e817330353f58216111
                                      • Instruction Fuzzy Hash: F6D017B58023189FC720DFA8E804A8DBBFCEB08210F00456AEC49E3300E770EC008B84
                                      Function 00446206 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00446227
                                        • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                      • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00432F93,00000000,0000000F,0042F99D,?,?,00431A44,?,?,00000000), ref: 00446263
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap$_free
                                      • String ID:
                                      • API String ID: 1482568997-0
                                      • Opcode ID: 1f917527c9cd9112a4c2ab4db5d8ca91a49e76957baa276bc02c381a5932faf2
                                      • Instruction ID: 528349031ecf72c594af6ac828cc426c74ce8c7b4bfa82022820746e0f177899
                                      • Opcode Fuzzy Hash: 1f917527c9cd9112a4c2ab4db5d8ca91a49e76957baa276bc02c381a5932faf2
                                      • Instruction Fuzzy Hash: 4CF0283110121176BB213B266C01B6B3759AF83B70B1700ABFC1466281CFBCCC41406F
                                      Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                        • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateEventStartupsocket
                                      • String ID:
                                      • API String ID: 1953588214-0
                                      • Opcode ID: 4d13770ae0ce35ce4dbd6fcc6f24a1261d6c2af77246669734211e402fddb5c6
                                      • Instruction ID: d30f6c82ceabff406a890a607b6903e59214fa94f63df9469096212d3e1caec2
                                      • Opcode Fuzzy Hash: 4d13770ae0ce35ce4dbd6fcc6f24a1261d6c2af77246669734211e402fddb5c6
                                      • Instruction Fuzzy Hash: F90171B1408B809ED7359F28A8456967FE0AB55304F044D6EF1DA97B92D3B5A881CB18
                                      Function 0041BB27 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32 ref: 0041BB49
                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BB5C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$ForegroundText
                                      • String ID:
                                      • API String ID: 29597999-0
                                      • Opcode ID: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                      • Instruction ID: 8c7c0eb369f00208a7459315ff6bb8442305c4ed6b2016914032ba092e23deac
                                      • Opcode Fuzzy Hash: 2784d0b2db336add8319ad638143428ee57387129fbd6e48793ce9af45086994
                                      • Instruction Fuzzy Hash: 21E04875A00328A7E720A7A5AC4EFD5776C9708755F0001AEBA1CD61C2EDB4AD448BE5
                                      Function 00414F24 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • getaddrinfo.WS2_32(00000000,00000000,00000000,00472AF0,004750F4,00000000,004151C3,00000000,00000001), ref: 00414F46
                                      • WSASetLastError.WS2_32(00000000), ref: 00414F4B
                                        • Part of subcall function 00414DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                        • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414E52
                                        • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                        • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                        • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                        • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                        • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                        • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                      • String ID:
                                      • API String ID: 1170566393-0
                                      • Opcode ID: 930efd5b04e65bc9372c1b57b3a52d6002a1f5a2d46d5e1141b82df15956c107
                                      • Instruction ID: b2b0aefd8e35b341f4c894e58f46b645776b5e98a3349e02c71c7f637998c076
                                      • Opcode Fuzzy Hash: 930efd5b04e65bc9372c1b57b3a52d6002a1f5a2d46d5e1141b82df15956c107
                                      • Instruction Fuzzy Hash: 9DD05B322005316BD310576D6C00FFB569EDFD7760B110037F404D3251DA949C8247AC
                                      Function 00409E1F Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _wcslen
                                      • String ID:
                                      • API String ID: 176396367-0
                                      • Opcode ID: 6416f66ed626dfbba5e3356b56a4da38da9dbdb7e4b27ac51402a9fd72fbddea
                                      • Instruction ID: d045c5f40cf3cd8d18dd0e016010c764e1ae3afdbf5b32035de166f485dbb4de
                                      • Opcode Fuzzy Hash: 6416f66ed626dfbba5e3356b56a4da38da9dbdb7e4b27ac51402a9fd72fbddea
                                      • Instruction Fuzzy Hash: 681193319002059BCB15EF66E842AEE7BB5AF54314B10403FF446672E2EF78AD15CB98
                                      Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                      • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                      • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                      • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                      Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Startup
                                      • String ID:
                                      • API String ID: 724789610-0
                                      • Opcode ID: 8e7c991b928bea2de9b1e1f5f99946c2d0cf66c9d18890e3be99548e9599c2f5
                                      • Instruction ID: 8755cd578eecc9cf916cb98f31ec890f8d4d8ec8e876fe09ba6f20fbb4fb2f80
                                      • Opcode Fuzzy Hash: 8e7c991b928bea2de9b1e1f5f99946c2d0cf66c9d18890e3be99548e9599c2f5
                                      • Instruction Fuzzy Hash: 02D0123255C60CCED620ABB4AD0F8A4775CC717616F0403BA6CB5C26D7E6405A2DC2AB
                                      Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: recv
                                      • String ID:
                                      • API String ID: 1507349165-0
                                      • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                      • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                      • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                      • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                      Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: send
                                      • String ID:
                                      • API String ID: 2809346765-0
                                      • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                      • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                      • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                      • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725

                                      Non-executed Functions

                                      Function 0040569A Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 278pipesleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 004056E6
                                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                      • __Init_thread_footer.LIBCMT ref: 00405723
                                      • CreatePipe.KERNEL32(00476CDC,00476CC4,00476BE8,00000000,004660CC,00000000), ref: 004057B6
                                      • CreatePipe.KERNEL32(00476CC8,00476CE4,00476BE8,00000000), ref: 004057CC
                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BF8,00476CCC), ref: 0040583F
                                      • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                      • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                      • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                        • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474FA0,004660D0,00000062,004660B4), ref: 004059E4
                                      • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                      • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                      • CloseHandle.KERNEL32 ref: 00405A23
                                      • CloseHandle.KERNEL32 ref: 00405A2B
                                      • CloseHandle.KERNEL32 ref: 00405A3D
                                      • CloseHandle.KERNEL32 ref: 00405A45
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                      • String ID: @lG$@lG$@lG$@lG$@lG$SystemDrive$cmd.exe$kG$lG$lG$lG$lG
                                      • API String ID: 2994406822-3565532687
                                      • Opcode ID: b68ca69e07cf2efade3c1b410fee926f1740e5449c087315abb30bc2acd6c1d9
                                      • Instruction ID: efba9956b6c01968ba48be3e84054341744464a70a9fb060b5e58b4ef4e39929
                                      • Opcode Fuzzy Hash: b68ca69e07cf2efade3c1b410fee926f1740e5449c087315abb30bc2acd6c1d9
                                      • Instruction Fuzzy Hash: ED91B271600604AFD711FB35AD41A6B3AAAEB84344F01443FF549A72E2DB7D9C488F6D
                                      Function 00407CD2 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                      • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                      • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                        • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,@*|,00475300,00000001), ref: 0041C37D
                                        • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,@*|,00475300,00000001), ref: 0041C3AD
                                        • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,@*|,00475300,00000001), ref: 0041C402
                                        • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,@*|,00475300,00000001), ref: 0041C463
                                        • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,@*|,00475300,00000001), ref: 0041C46A
                                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                        • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474F08,?), ref: 00404B47
                                        • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474F08,?,?,?,?,?,?,0040547D), ref: 00404B75
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                      • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                      • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                      • DeleteFileA.KERNEL32(?), ref: 0040868D
                                        • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                        • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                        • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                        • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                      • Sleep.KERNEL32(000007D0), ref: 00408733
                                      • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                        • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                      • String ID: (aF$8PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$hPG$hPG$hPG$hPG$open
                                      • API String ID: 1067849700-1785547828
                                      • Opcode ID: b2e61bf4e72140d30d73e66eeb5ed928e9f66979c4dd0beefda9485d20436982
                                      • Instruction ID: d596b55e62c6dc406d7f5c06aadeacefb76b4acf2f669351df47ebe9cc805958
                                      • Opcode Fuzzy Hash: b2e61bf4e72140d30d73e66eeb5ed928e9f66979c4dd0beefda9485d20436982
                                      • Instruction Fuzzy Hash: 9F4282716043016BC604FB76C9579AE77A9AF91348F80483FF582671E2EE7C9908C79B
                                      Function 00412132 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcessId.KERNEL32 ref: 00412141
                                        • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                        • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                        • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                      • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                      • CloseHandle.KERNEL32(00000000), ref: 00412190
                                      • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                      • String ID: (TG$@*|$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                      • API String ID: 3018269243-2750685171
                                      • Opcode ID: 487cb0c94f3c81f9ea2266224390f7fb4e07e51fb2116567e8d70626cc6924ac
                                      • Instruction ID: 26abbb7e12f392f9fbc718c06b30ae47eaa1113e002934215aad22704783e961
                                      • Opcode Fuzzy Hash: 487cb0c94f3c81f9ea2266224390f7fb4e07e51fb2116567e8d70626cc6924ac
                                      • Instruction Fuzzy Hash: 3C71A23160420167C604FB72CD579AE77A4AE94308F40097FF586A61E2FFBC9945C69E
                                      Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                      • FindClose.KERNEL32(00000000), ref: 0040BC04
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                      • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseFile$FirstNext
                                      • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                      • API String ID: 1164774033-3681987949
                                      • Opcode ID: 240c7abc9a27c5f0695d89c57ca45c6d86bcae19cd69a5bd1518bd38cb464be9
                                      • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                      • Opcode Fuzzy Hash: 240c7abc9a27c5f0695d89c57ca45c6d86bcae19cd69a5bd1518bd38cb464be9
                                      • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                      Function 004168FC Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32 ref: 004168FD
                                      • EmptyClipboard.USER32 ref: 0041690B
                                      • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                      • GlobalLock.KERNEL32(00000000), ref: 00416934
                                      • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                      • CloseClipboard.USER32 ref: 00416990
                                      • OpenClipboard.USER32 ref: 00416997
                                      • GetClipboardData.USER32(0000000D), ref: 004169A7
                                      • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                      • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                      • CloseClipboard.USER32 ref: 004169BF
                                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                      • String ID: !D@$xdF
                                      • API String ID: 3520204547-3540039394
                                      • Opcode ID: f77a8bd79f0f7ce6039107014e74333b55bee0a4ab0882cfea4256be7aae21ab
                                      • Instruction ID: 40a69bedac3bd734cdfdd6227e623399476ab8ebe6f0a7c245c4ec6d1d06efb6
                                      • Opcode Fuzzy Hash: f77a8bd79f0f7ce6039107014e74333b55bee0a4ab0882cfea4256be7aae21ab
                                      • Instruction Fuzzy Hash: 16215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                      Function 0040F4AF Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 210processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750F4,?,00475348), ref: 0040F4C9
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475348), ref: 0040F4F4
                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                      • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475348), ref: 0040F59E
                                        • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                        • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                      • CloseHandle.KERNEL32(00000000,?,00475348), ref: 0040F6A9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                      • String ID: @*|$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$xdF$xdF
                                      • API String ID: 3756808967-3824786792
                                      • Opcode ID: 1d3b465f8a309ae3198bcab5bb83e2fcd34d8ef8e9b0c4606d8e85a41c47158d
                                      • Instruction ID: f7ffc7f0dfbd756cb6275d6ec2ba0be94116b78c8c9f611e281f0170cc986b4a
                                      • Opcode Fuzzy Hash: 1d3b465f8a309ae3198bcab5bb83e2fcd34d8ef8e9b0c4606d8e85a41c47158d
                                      • Instruction Fuzzy Hash: 4C7130705083419AC724FB21D8559AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                      Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                      • FindClose.KERNEL32(00000000), ref: 0040BE04
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                      • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                      • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$Close$File$FirstNext
                                      • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                      • API String ID: 3527384056-432212279
                                      • Opcode ID: 61ad11e382702adddc4a1e89b9b08581dc943ae9ab3a3ebcc98b18262fb5c5cd
                                      • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                      • Opcode Fuzzy Hash: 61ad11e382702adddc4a1e89b9b08581dc943ae9ab3a3ebcc98b18262fb5c5cd
                                      • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                      Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                      • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                      • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                      • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                      • CloseHandle.KERNEL32(?), ref: 004134A0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                      • String ID:
                                      • API String ID: 297527592-0
                                      • Opcode ID: bf3db080d4aec6a02f50ad20c8827227bb634c24fb580ecc49855a8f971feb0a
                                      • Instruction ID: cfdeae1586e3f17d3ae994cf28232467201964e06db1490d1c70a6fe2d897c90
                                      • Opcode Fuzzy Hash: bf3db080d4aec6a02f50ad20c8827227bb634c24fb580ecc49855a8f971feb0a
                                      • Instruction Fuzzy Hash: A841F371104301BBD7109F26EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                      Function 0041C322 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,@*|,00475300,00000001), ref: 0041C37D
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,@*|,00475300,00000001), ref: 0041C3AD
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,@*|,00475300,00000001), ref: 0041C41F
                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,@*|,00475300,00000001), ref: 0041C42C
                                        • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,@*|,00475300,00000001), ref: 0041C402
                                      • GetLastError.KERNEL32(?,?,?,?,?,@*|,00475300,00000001), ref: 0041C44D
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,@*|,00475300,00000001), ref: 0041C463
                                      • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,@*|,00475300,00000001), ref: 0041C46A
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,@*|,00475300,00000001), ref: 0041C473
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                      • String ID: @*|
                                      • API String ID: 2341273852-3104024045
                                      • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                      • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                      • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                      • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                      Function 00419662 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 0$1$2$3$4$5$6$7
                                      • API String ID: 0-3177665633
                                      • Opcode ID: bbb04b4e4ef4cf43d21947f6752686c6d5343f3de50f2534b72754370d573c82
                                      • Instruction ID: 3c74f5afe55031bef20d6cb4aa2bc38f0c43463ce83be6e36937eb537edf8bdf
                                      • Opcode Fuzzy Hash: bbb04b4e4ef4cf43d21947f6752686c6d5343f3de50f2534b72754370d573c82
                                      • Instruction Fuzzy Hash: CB71E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                      Function 0040A41B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112keyboardthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(?,?,00475100), ref: 0040A451
                                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                      • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                      • GetKeyState.USER32(00000010), ref: 0040A46E
                                      • GetKeyboardState.USER32(?,?,00475100), ref: 0040A479
                                      • ToUnicodeEx.USER32(00475154,00000000,?,?,00000010,00000000,00000000), ref: 0040A49C
                                      • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                      • ToUnicodeEx.USER32(00475154,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                      • String ID: (kG
                                      • API String ID: 1888522110-2813241365
                                      • Opcode ID: 79348ff8eaa35f6faedaca36de41c7c480938a272048c625dc6fe4e82d71162d
                                      • Instruction ID: 3b9a32d10988b9101c987d3e8fcb44953e801c6634267c48ca941b3c69dca571
                                      • Opcode Fuzzy Hash: 79348ff8eaa35f6faedaca36de41c7c480938a272048c625dc6fe4e82d71162d
                                      • Instruction Fuzzy Hash: F8316D72504308BFD700DFA0DC45F9B7BECAB88754F00083AB645D61A0D7B5E948CBA6
                                      Function 004167EF Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 97libraryloadershutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                        • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                        • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                        • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                        • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                      • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                      • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                      • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                      • String ID: !D@$$aF$(aF$,aF$PowrProf.dll$SetSuspendState
                                      • API String ID: 1589313981-3345310279
                                      • Opcode ID: e2c31b5db78946f38df81b98e23598b924f86ca336777b9e14443aea536e3df9
                                      • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                      • Opcode Fuzzy Hash: e2c31b5db78946f38df81b98e23598b924f86ca336777b9e14443aea536e3df9
                                      • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                      Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 0040755C
                                      • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Object_wcslen
                                      • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                      • API String ID: 240030777-3166923314
                                      • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                      • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                      • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                      • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                      Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758F8), ref: 0041A7EF
                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                      • GetLastError.KERNEL32 ref: 0041A84C
                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                      • String ID:
                                      • API String ID: 3587775597-0
                                      • Opcode ID: 6d200c93f34079ae71c82b73248bc1d4a0017c0a1dadb16676f11039057c5814
                                      • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                      • Opcode Fuzzy Hash: 6d200c93f34079ae71c82b73248bc1d4a0017c0a1dadb16676f11039057c5814
                                      • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                      Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                      • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                      • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseFile$FirstNext
                                      • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                      • API String ID: 1164774033-405221262
                                      • Opcode ID: 9a74441e6a62c791e3d48e394381276e6adc98fd532e91d105d045f394039e41
                                      • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                      • Opcode Fuzzy Hash: 9a74441e6a62c791e3d48e394381276e6adc98fd532e91d105d045f394039e41
                                      • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                      Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                      • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                      • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressCloseCreateLibraryLoadProcsend
                                      • String ID: SHDeleteKeyW$Shlwapi.dll
                                      • API String ID: 2127411465-314212984
                                      • Opcode ID: 834e0a0357c9bd35fc75afbee9585628136f3e7a26421bc33e01608f2dfc2d19
                                      • Instruction ID: cc57822c2a7f940fffebe33daf0632284ddc1748a3b8d5e961f42c670a34d5b4
                                      • Opcode Fuzzy Hash: 834e0a0357c9bd35fc75afbee9585628136f3e7a26421bc33e01608f2dfc2d19
                                      • Instruction Fuzzy Hash: D1B1F671A0430066CA14BB76DC579AF36A89F91748F40053FB906671E2EE7D8A48C6DA
                                      Function 00419B86 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 245fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                      • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                        • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Find$CreateFirstNext
                                      • String ID: 8eF$HSG$`XG$`XG
                                      • API String ID: 341183262-1600017543
                                      • Opcode ID: 6f81fefc4da4586ac3ce1899c292dfe7ae8a9e1856cb00082ed84c70e3d1e44f
                                      • Instruction ID: 3e2b8d556a8fbdbb081ab446324185a4f3aab8361380fbf0113865ad31d0729a
                                      • Opcode Fuzzy Hash: 6f81fefc4da4586ac3ce1899c292dfe7ae8a9e1856cb00082ed84c70e3d1e44f
                                      • Instruction Fuzzy Hash: 588151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                      Function 00406EEB Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222filenetworkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                      • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                      Strings
                                      • open, xrefs: 00406FF1
                                      • 0aF, xrefs: 0040712C
                                      • 0aF, xrefs: 0040701B
                                      • C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, xrefs: 00407042, 0040716A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DownloadExecuteFileShell
                                      • String ID: 0aF$0aF$C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe$open
                                      • API String ID: 2825088817-797022128
                                      • Opcode ID: cf2b83abeb2134a1df915f4201471098f2d667ecf5e68f6bac9d0fe0b16a1e4a
                                      • Instruction ID: e12f74d6213dd3660153607da8c9b98f7978e2d251169c1aa1e307be856b925d
                                      • Opcode Fuzzy Hash: cf2b83abeb2134a1df915f4201471098f2d667ecf5e68f6bac9d0fe0b16a1e4a
                                      • Instruction Fuzzy Hash: 1461C471A0830166CA14FB76C8569BE37A59F81758F40093FF9427B2D2EE3C9905C79B
                                      Function 00408847 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 0040884C
                                      • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                      • String ID: xdF
                                      • API String ID: 1771804793-999140092
                                      • Opcode ID: 38802d10882615ef338cffc9586822bbeeed39d2cd44aa7df9ba9a74de3d35aa
                                      • Instruction ID: 967e03bdddb214c30410211942a515ee3c29859e80101891d5c5db132fd2cd64
                                      • Opcode Fuzzy Hash: 38802d10882615ef338cffc9586822bbeeed39d2cd44aa7df9ba9a74de3d35aa
                                      • Instruction Fuzzy Hash: 94517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB99
                                      Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                      • GetLastError.KERNEL32 ref: 0040BA93
                                      Strings
                                      • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                      • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                      • UserProfile, xrefs: 0040BA59
                                      • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteErrorFileLast
                                      • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                      • API String ID: 2018770650-1062637481
                                      • Opcode ID: dc2b2689bc299d8874a4aac579e14b6bb7d4073350ebb0a6e73faa8ce1665e3c
                                      • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                      • Opcode Fuzzy Hash: dc2b2689bc299d8874a4aac579e14b6bb7d4073350ebb0a6e73faa8ce1665e3c
                                      • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                      Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                      • GetLastError.KERNEL32 ref: 004179D8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                      • String ID: SeShutdownPrivilege
                                      • API String ID: 3534403312-3733053543
                                      • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                      • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                      • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                      • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                      Function 004541D9 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __floor_pentium4
                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                      • API String ID: 4168288129-2761157908
                                      • Opcode ID: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                      • Instruction ID: 22fd31c6184e07a9d3e8c26eafc68e38345e899adb4ac4f90a3aea4af7cb717d
                                      • Opcode Fuzzy Hash: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                      • Instruction Fuzzy Hash: BBC27E71D046288FDB25CE28DD407EAB3B5EB8530AF1541EBD80DE7241E778AE898F45
                                      Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00409293
                                        • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                      • FindClose.KERNEL32(00000000), ref: 004093FC
                                        • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                        • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                        • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                      • FindClose.KERNEL32(00000000), ref: 004095F4
                                        • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474F08,?), ref: 00404B47
                                        • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474F08,?,?,?,?,?,?,0040547D), ref: 00404B75
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                      • String ID:
                                      • API String ID: 1824512719-0
                                      • Opcode ID: d5fff6ff147be0d9bf0e8b97956a8fab7f12df65085721ed718fed9da3bdc9ac
                                      • Instruction ID: 7a56ba3823c44b8d3dadbfeca74e3365e00ee059376cf1b582d15bdd70b30780
                                      • Opcode Fuzzy Hash: d5fff6ff147be0d9bf0e8b97956a8fab7f12df65085721ed718fed9da3bdc9ac
                                      • Instruction Fuzzy Hash: 8AB19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                      Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                      • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                      • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                      • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                      • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ManagerStart
                                      • String ID:
                                      • API String ID: 276877138-0
                                      • Opcode ID: 628d36ac3c64f627b3a8437270a5a78b3dcfd045bfbfd251d1d1fe9a009dd844
                                      • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                      • Opcode Fuzzy Hash: 628d36ac3c64f627b3a8437270a5a78b3dcfd045bfbfd251d1d1fe9a009dd844
                                      • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                      Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00452555
                                      • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 0045257E
                                      • GetACP.KERNEL32 ref: 00452593
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID: ACP$OCP
                                      • API String ID: 2299586839-711371036
                                      • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                      • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                      • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                      • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                      Function 00407877 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileFind$FirstNextsend
                                      • String ID: 8eF$hPG$hPG
                                      • API String ID: 4113138495-2076665626
                                      • Opcode ID: a6c9c9649a55c42556727ff727ad14387c41d165ee427d48925338df36ff0517
                                      • Instruction ID: abfa5a3658aec55442980c0effbd4670719d50d4d7308f226e3cac976b3f196c
                                      • Opcode Fuzzy Hash: a6c9c9649a55c42556727ff727ad14387c41d165ee427d48925338df36ff0517
                                      • Instruction Fuzzy Hash: CB2195315082019BC314FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA09C65B
                                      Function 0041CA73 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                        • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                        • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,00475300,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137E1
                                        • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137EC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateInfoParametersSystemValue
                                      • String ID: ,aF$Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                      • API String ID: 4127273184-3126330168
                                      • Opcode ID: 1dafd4e115d1579546cfd655b47399d1506d96e03fc201f2c1b7b85ae65ff372
                                      • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                      • Opcode Fuzzy Hash: 1dafd4e115d1579546cfd655b47399d1506d96e03fc201f2c1b7b85ae65ff372
                                      • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                      Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                      • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                      • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                      • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Resource$FindLoadLockSizeof
                                      • String ID: SETTINGS
                                      • API String ID: 3473537107-594951305
                                      • Opcode ID: 7e39093ddf5dcb720cd3caccf1e1277dc2c4d9143844da5a4d70bf483eb1c798
                                      • Instruction ID: e87eb13c1a863bb520e8110b03cd0e44f0123e9e346c2db4eb51eb31bea7c0b5
                                      • Opcode Fuzzy Hash: 7e39093ddf5dcb720cd3caccf1e1277dc2c4d9143844da5a4d70bf483eb1c798
                                      • Instruction Fuzzy Hash: 23E01276600B21EBDB211FB1AC8CD467F25E7C9B533140075FA0582271CB758840DA58
                                      Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 004096A5
                                      • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                      • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstH_prologNext
                                      • String ID:
                                      • API String ID: 1157919129-0
                                      • Opcode ID: 5e708330bfbdb9036aa787329a800d88489fa4c70442028eebd1807c100a849e
                                      • Instruction ID: 095255599cc0af9be2c5710cd9f248f54336688560ad7ccdcde9a73cf5c292f5
                                      • Opcode Fuzzy Hash: 5e708330bfbdb9036aa787329a800d88489fa4c70442028eebd1807c100a849e
                                      • Instruction Fuzzy Hash: CB813C729001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                      Function 00452690 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                        • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                      • GetUserDefaultLCID.KERNEL32 ref: 0045279C
                                      • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                      • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                      • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                      • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0045286D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                      • String ID:
                                      • API String ID: 745075371-0
                                      • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                      • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                      • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                      • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                      Function 0041CA6D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                        • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                        • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,00475300,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137E1
                                        • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.2.0 Pro), ref: 004137EC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateInfoParametersSystemValue
                                      • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                      • API String ID: 4127273184-3576401099
                                      • Opcode ID: 38de7b8f93cc63befc86a6024166ffcd902dfb784ac7839172e09a357c8b3fe7
                                      • Instruction ID: 1d4fccf664b116fd7e9026c1daa93839c24cbfeedf45b0e65449f5778d70c30d
                                      • Opcode Fuzzy Hash: 38de7b8f93cc63befc86a6024166ffcd902dfb784ac7839172e09a357c8b3fe7
                                      • Instruction Fuzzy Hash: DBF0C272BC421022D82931B96DAFBFE18058742F61F15412BF302652CAD4CE6A81428F
                                      Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                        • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                      • IsValidCodePage.KERNEL32(00000000), ref: 00451E3A
                                      • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                      • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00451F7B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                      • String ID:
                                      • API String ID: 4212172061-0
                                      • Opcode ID: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                      • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                      • Opcode Fuzzy Hash: 715b93ef3f017ee4fea0110e94a068843382a27aff4af5d2daf4b4fdd25eb79d
                                      • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                      Function 0044942D Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 0044943D
                                        • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                        • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                      • GetTimeZoneInformation.KERNEL32 ref: 0044944F
                                      • WideCharToMultiByte.KERNEL32(00000000,?,00472764,000000FF,?,0000003F,?,?), ref: 004494C7
                                      • WideCharToMultiByte.KERNEL32(00000000,?,004727B8,000000FF,?,0000003F,?,?,?,00472764,000000FF,?,0000003F,?,?), ref: 004494F4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                      • String ID:
                                      • API String ID: 806657224-0
                                      • Opcode ID: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                      • Instruction ID: d52e19fe16dfdee109f40d049db845c42e01460133d57766726f1505d2785bee
                                      • Opcode Fuzzy Hash: aeb37be2ef55a5d103ab6b4be93faccb032caed00e04dd613037f001c8cf3bb4
                                      • Instruction Fuzzy Hash: 2D31F371904205EFDB15DF69CE8186EBBB8FF0572072446AFE024A73A1D3748D41EB28
                                      Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                        • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorInfoLastLocale$_free$_abort
                                      • String ID:
                                      • API String ID: 2829624132-0
                                      • Opcode ID: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                      • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                      • Opcode Fuzzy Hash: 711793eb573856c12bfad09b44d2354213151b00c391b4c97ce46ce3e25352d9
                                      • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                      Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                      • String ID:
                                      • API String ID: 3906539128-0
                                      • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                      • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                      • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                      • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                      Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                      • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                      • ExitProcess.KERNEL32 ref: 0044338F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                      • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                      • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                      • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                      Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32(00000000), ref: 0040B74C
                                      • GetClipboardData.USER32(0000000D), ref: 0040B758
                                      • CloseClipboard.USER32 ref: 0040B760
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$CloseDataOpen
                                      • String ID:
                                      • API String ID: 2058664381-0
                                      • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                      • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                      • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                      • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                      Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                      • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                      • CloseHandle.KERNEL32(00000000,?,?,0041605F,00000000), ref: 0041BBE7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CloseHandleOpenResume
                                      • String ID:
                                      • API String ID: 3614150671-0
                                      • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                      • Instruction ID: dbaabbb0ea2570487ff62d8cf89bd30b477e7113d13ca21b8680662729a76e86
                                      • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                      • Instruction Fuzzy Hash: 66D05E36204121E3C320176A7C0CD97AD68DBC5AA2705412AF804C26649A60CC0186E4
                                      Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                      • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                      • CloseHandle.KERNEL32(00000000,?,?,0041603A,00000000), ref: 0041BBBB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CloseHandleOpenSuspend
                                      • String ID:
                                      • API String ID: 1999457699-0
                                      • Opcode ID: 15699d522662e94a36dc9f627e6c03bf4f255e4023340f214c75571920ff47a0
                                      • Instruction ID: 1e4755145751be78863ec26184204985b99a3e1fec7ed1e2fa2d7a7f5aac3163
                                      • Opcode Fuzzy Hash: 15699d522662e94a36dc9f627e6c03bf4f255e4023340f214c75571920ff47a0
                                      • Instruction Fuzzy Hash: 73D05E36104121E3C6211B6A7C0CD97AD68DFC5AA2705412AF904D26509A20CC0186E4
                                      Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID: GetLocaleInfoEx
                                      • API String ID: 2299586839-2904428671
                                      • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                      • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                      • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                      • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                      Function 00446270 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                      • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                      • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                      • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                      Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                      • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$FreeProcess
                                      • String ID:
                                      • API String ID: 3859560861-0
                                      • Opcode ID: dd2f45b1bfdeb7a1a5420288e71913fa42d02de7f124d91d2f4ae112c61c3ef1
                                      • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                      • Opcode Fuzzy Hash: dd2f45b1bfdeb7a1a5420288e71913fa42d02de7f124d91d2f4ae112c61c3ef1
                                      • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                      Function 004533AB Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004533A6,?,?,00000008,?,?,0045625D,00000000), ref: 004535D8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionRaise
                                      • String ID:
                                      • API String ID: 3997070919-0
                                      • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                      • Instruction ID: 7263c04077df6a1dd25da4ac29b5b982fa38ace811980f45f75c7c5cedc24273
                                      • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                      • Instruction Fuzzy Hash: 0FB13B315106089FD715CF28C48AB657BE0FF053A6F25865DE899CF3A2C339EA96CB44
                                      Function 004339D7 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 0
                                      • API String ID: 0-4108050209
                                      • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                      • Instruction ID: b5ae8e6f7fa87a7dee9e60626e0a37a25df5f2dd99b83f8da903d7583ecded6c
                                      • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                      • Instruction Fuzzy Hash: 0C129E727083048BD304DF65D882A1EB7E2BFCC758F15892EF495AB381DA74E915CB86
                                      Function 00434CB6 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FeaturePresentProcessor
                                      • String ID:
                                      • API String ID: 2325560087-0
                                      • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                      • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                      • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                      • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                      Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                        • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free$InfoLocale_abort
                                      • String ID:
                                      • API String ID: 1663032902-0
                                      • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                      • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                      • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                      • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                      Function 0045201B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                        • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                      • EnumSystemLocalesW.KERNEL32(00452143,00000001), ref: 0045208D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID:
                                      • API String ID: 1084509184-0
                                      • Opcode ID: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                      • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                      • Opcode Fuzzy Hash: cd62537e8c3e003b13522b9155b4eea68fe7d0001d8d421cd242523031e004a2
                                      • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                      Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                        • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$InfoLocale_abort_free
                                      • String ID:
                                      • API String ID: 2692324296-0
                                      • Opcode ID: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                      • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                      • Opcode Fuzzy Hash: ed905f4e10f5b376defebc36d7d97aa2bb2c1abe5f1ea1ee61b46868c197e3f5
                                      • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                      Function 004520B6 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                        • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                      • EnumSystemLocalesW.KERNEL32(00452393,00000001), ref: 00452102
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID:
                                      • API String ID: 1084509184-0
                                      • Opcode ID: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                      • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                      • Opcode Fuzzy Hash: b47e8d7704c3cea33439bb1b9c4b2a0344765dc89a2caae7295f0002ba586764
                                      • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                      Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                      • EnumSystemLocalesW.KERNEL32(Function_0004843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                      • String ID:
                                      • API String ID: 1272433827-0
                                      • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                      • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                      • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                      • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                      Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                        • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                      • EnumSystemLocalesW.KERNEL32(00451F27,00000001), ref: 00452007
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID:
                                      • API String ID: 1084509184-0
                                      • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                      • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                      • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                      • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                      Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                      • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                      • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                      • Instruction Fuzzy Hash:
                                      Function 00427AD7 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                      • Instruction ID: bbd91956ea41f9089fdf4ea26de33e0e8d132f349ea16d9e77f48d305cf446da
                                      • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                      • Instruction Fuzzy Hash: F1412975A183558FC340CF29D58020AFBE1FFC8318F645A1EF889A3350D379E9428B86
                                      Function 0044DA49 Relevance: .6, Instructions: 637COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                      • Instruction ID: 4200599dcb49c21c1ca78238ad82984ca11e49a574bdd01b256a4bdf4e559873
                                      • Opcode Fuzzy Hash: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                      • Instruction Fuzzy Hash: D2322521D69F414DE7239A35CC22336A24CBFB73C5F15D737E81AB5AAAEB29C4834105
                                      Function 0041F18B Relevance: .6, Instructions: 598COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                      • Instruction ID: 06c66d0f35fb266b7f69fbfce4f1f639eb17408d85dd7e5468211ecdc8378744
                                      • Opcode Fuzzy Hash: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                      • Instruction Fuzzy Hash: 7932C2716087459BC715DF28C4807ABB7E5BF84318F040A3EF89587392D779D98ACB8A
                                      Function 0042742E Relevance: .4, Instructions: 435COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                      • Instruction ID: b033fe34555866f616fd3cc64b543b740d9cc82fbf2d17309ab2a27531c6336b
                                      • Opcode Fuzzy Hash: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                      • Instruction Fuzzy Hash: 6C02CEB17046528BC358CF2EEC5053AB7E1AB8D311744863EE495C7781EB35FA22CB94
                                      Function 00426E9F Relevance: .4, Instructions: 383COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                      • Instruction ID: 06b531cc06dcd57701b547059d2c567c45bbe225ee7d26ac7aed84b394be02a5
                                      • Opcode Fuzzy Hash: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                      • Instruction Fuzzy Hash: 2DF19D716142558FC348CF1DE8A187BB3E1FB89311B450A2EF582C3391DB79EA16CB56
                                      Function 00437DB3 Relevance: .3, Instructions: 345COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                      • Instruction ID: 2ce137016e68017aebaac4bbf916a57dff7c64f07ba89619fc9d118b501662d8
                                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                      • Instruction Fuzzy Hash: F9C1D5B22091930AEF3D4639853063FFAA05E957B171A635FE4F2CB2D4FE18C924D514
                                      Function 004381E8 Relevance: .3, Instructions: 341COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                      • Instruction ID: bc2d6065b6eca92eb436045fb502f22698d18e4b36ed1375ff5d5b4a3f5914d0
                                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                      • Instruction Fuzzy Hash: 75C1D7722091930AEF2D4739853463FFAA15EA57B171A236FE4F2CB2D4FE28C924D514
                                      Function 0043797E Relevance: .3, Instructions: 331COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                      • Instruction ID: 708e8454946620f186a1700387687a053fc407bd339bf74556c1f47a113f5a1a
                                      • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                      • Instruction Fuzzy Hash: 95C1C3B220D0930AEF3D4639853063FFAA15EA67B171A675ED4F2CB2D4FE18C924D614
                                      Function 00437566 Relevance: .3, Instructions: 323COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                      • Instruction ID: 79ee4f31eba35b7567f7a499d226924a3a6c1d38d98321864059dc3c63d33f3d
                                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                      • Instruction Fuzzy Hash: 76C1E6B220D0930AEF3D4639853463FBAA15EA57B171A236FD4F2CB2D4FE18C924C614
                                      Function 0041DBF3 Relevance: .3, Instructions: 277COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                      • Instruction ID: 096ff1c695f9ab27d4b2dbab46670c8098de74970727e2ec16deab2a6828ec1d
                                      • Opcode Fuzzy Hash: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                      • Instruction Fuzzy Hash: EAB1A37951429A8ACB05EF68C4913F63BA1EF6A301F0850B9EC9CCF757D2398506EB24
                                      Function 0043E34B Relevance: .2, Instructions: 237COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                      • Instruction ID: 32d6082e35155a0a096806a6943d6f48c3d67459c64856e3d931f7c23e0710f9
                                      • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                      • Instruction Fuzzy Hash: 59618971202709A6EE34892B88967BF63949F6D314F10342FE983DB3C1D65DDD82931E
                                      Function 0043E5A8 Relevance: .2, Instructions: 237COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                      • Instruction ID: 5d22fc1bcc5d638cf6a4a0606be4d5c4d5bba199c703cf788a7f99cafe8d65e8
                                      • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                      • Instruction Fuzzy Hash: 12615871602718A6DA38592B88977BF2384EB2D344F94351BE483DB3C1D75EAD43871E
                                      Function 0043E11C Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                      • Instruction ID: 6c705508b021f12d90b9f9697341ee8142861c1d23b7247138392dbd6e0aa073
                                      • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                      • Instruction Fuzzy Hash: 59517671603604A7EF3445AB85567BF63899B0E304F18395FE882C73C2C52DDE02875E
                                      Function 0043DEED Relevance: .2, Instructions: 214COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                      • Instruction ID: 84bf5d8b6cf777f915eff3509e2c27b9c7ae744ab127a35c194aadb47efed811
                                      • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                      • Instruction Fuzzy Hash: E1517761E0660557DF38892A94D67BF23A59B4E308F18351FE483CB3C2C65EEE06835E
                                      Function 00427C40 Relevance: .2, Instructions: 187COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                      • Instruction ID: d4d389248adab082d17fbdeb677dfbf93ddf16fcbb8c162b69e64d6cf0e33668
                                      • Opcode Fuzzy Hash: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                      • Instruction Fuzzy Hash: 61615B72A083059BC308DF35E481A5FB7E4AFCC718F814E2EF595D6151EA74EA08CB86
                                      Function 004387F0 Relevance: .1, Instructions: 76COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                      • Instruction ID: 582e3a7babb983407823034c482dc4f24404013c153b7f4d28c3fef3b0c68a44
                                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                      • Instruction Fuzzy Hash: 43113B7720034183D60CAA6DC4B45BBD795EADE320FBD627FF0414B744CA2AD4459508
                                      Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                      • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                        • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                      • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                      • DeleteDC.GDI32(00000000), ref: 00418F65
                                      • DeleteDC.GDI32(00000000), ref: 00418F68
                                      • DeleteObject.GDI32(00000000), ref: 00418F6B
                                      • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                      • DeleteDC.GDI32(00000000), ref: 00418F9D
                                      • DeleteDC.GDI32(00000000), ref: 00418FA0
                                      • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                      • GetCursorInfo.USER32(?), ref: 00418FE2
                                      • GetIconInfo.USER32(?,?), ref: 00418FF8
                                      • DeleteObject.GDI32(?), ref: 00419027
                                      • DeleteObject.GDI32(?), ref: 00419034
                                      • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                      • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00660046), ref: 00419077
                                      • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                      • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                      • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                      • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                      • DeleteDC.GDI32(?), ref: 004191B7
                                      • DeleteDC.GDI32(00000000), ref: 004191BA
                                      • DeleteObject.GDI32(00000000), ref: 004191BD
                                      • GlobalFree.KERNEL32(?), ref: 004191C8
                                      • DeleteObject.GDI32(00000000), ref: 0041927C
                                      • GlobalFree.KERNEL32(?), ref: 00419283
                                      • DeleteDC.GDI32(?), ref: 00419293
                                      • DeleteDC.GDI32(00000000), ref: 0041929E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                      • String ID: DISPLAY
                                      • API String ID: 4256916514-865373369
                                      • Opcode ID: c1f87ec315365c2bd807a29870f8556d4033a7f08f871e569c42423f77b65dc4
                                      • Instruction ID: 987d9a4534759b20ade43e5cc0d007ec6aae9fd5378911baa39845865ae00971
                                      • Opcode Fuzzy Hash: c1f87ec315365c2bd807a29870f8556d4033a7f08f871e569c42423f77b65dc4
                                      • Instruction Fuzzy Hash: D8C15C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                      Function 0040D45B Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 282registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                        • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                        • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00475300,pth_unenc,0040D0F3,@*|,00475300,?,pth_unenc), ref: 0040B8F6
                                        • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(00475100), ref: 0040B902
                                        • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                        • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                      • ExitProcess.KERNEL32 ref: 0040D80B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                      • String ID: """, 0$")$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$HSG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$tMG$wend$while fso.FileExists("$xdF$xpF
                                      • API String ID: 1861856835-1567776996
                                      • Opcode ID: 378485639873f91e3566d37bd4c9dc270e24a7b07407a649f66661562ec7a51b
                                      • Instruction ID: 74aa42f7ec26bf67edaf4e1a165d404297a62af2c65c2789fcbb2c22ca84ca6d
                                      • Opcode Fuzzy Hash: 378485639873f91e3566d37bd4c9dc270e24a7b07407a649f66661562ec7a51b
                                      • Instruction Fuzzy Hash: B991B1316082005AC315FB62D8529AFB3A8AF94309F50443FB64AA71E3EF7C9D49C65E
                                      Function 0041812A Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                      • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                      • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                      • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                      • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                      • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                      • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                      • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                      • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                      • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                      • ResumeThread.KERNEL32(?), ref: 00418470
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                      • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                      • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                      • GetLastError.KERNEL32 ref: 004184B5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                      • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                      • API String ID: 4188446516-3035715614
                                      • Opcode ID: 8f07b7a254e48d041da81a251375b09bf463a0f5c88c0795319c3241d295ec1a
                                      • Instruction ID: 6e605283caf6159cf0966bfa06415cd8be065dbd330dc5e1b11c181c8b11ae87
                                      • Opcode Fuzzy Hash: 8f07b7a254e48d041da81a251375b09bf463a0f5c88c0795319c3241d295ec1a
                                      • Instruction Fuzzy Hash: 5AA14DB0604301AFDB209F64DD85B6B7BE8FB88745F04482EF689D6291EB78DC44CB59
                                      Function 0040D0D1 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 260registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                        • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D1E0
                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D223
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00475300,?,pth_unenc), ref: 0040D232
                                        • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,00475300,pth_unenc,0040D0F3,@*|,00475300,?,pth_unenc), ref: 0040B8F6
                                        • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(00475100), ref: 0040B902
                                        • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                        • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,00475300), ref: 0041BA30
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                      • ExitProcess.KERNEL32 ref: 0040D454
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                      • String ID: ")$.vbs$@*|$HSG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$tMG$wend$while fso.FileExists("$xdF$xpF
                                      • API String ID: 3797177996-3732316529
                                      • Opcode ID: ef64bbdb6b6bc413f4a38ff03c8248d9edabe3d8d9292ccc6fe4a1ee121b6e30
                                      • Instruction ID: d04a29aa4e51556796b06844e147f4a7cb6a24a543372ca0e3e4f3e54a9e1c14
                                      • Opcode Fuzzy Hash: ef64bbdb6b6bc413f4a38ff03c8248d9edabe3d8d9292ccc6fe4a1ee121b6e30
                                      • Instruction Fuzzy Hash: 7781A1716082405BC715FB62D8529AF73A8AF94308F10443FB58A671E3EF7C9E49C69E
                                      Function 004124B0 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750F4,00000003), ref: 004124CF
                                      • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                      • CloseHandle.KERNEL32(00000000), ref: 00412576
                                      • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                      • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                      • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                      • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                      • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                        • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                      • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                      • Sleep.KERNEL32(000001F4), ref: 004126BD
                                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                      • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                      • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                      • String ID: (TG$.exe$HSG$WDH$exepath$open$temp_
                                      • API String ID: 2649220323-4116078715
                                      • Opcode ID: 1946e344db4618885ae756797aea411b1648c6a2fe0413653f6271bec6169604
                                      • Instruction ID: 24c9a3d3f9f851b6826daa3a71410153ee30a0e468f06c14c2e22e8a151f545e
                                      • Opcode Fuzzy Hash: 1946e344db4618885ae756797aea411b1648c6a2fe0413653f6271bec6169604
                                      • Instruction Fuzzy Hash: B551C771A00315BBDB10ABA09C99EFE336D9B04755F10416BF901E72D2EFBC8E85865D
                                      Function 0041B0D8 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                      • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EF0,00000000), ref: 0041B21F
                                      • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                      • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                      • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                      • SetEvent.KERNEL32 ref: 0041B2AA
                                      • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                      • CloseHandle.KERNEL32 ref: 0041B2CB
                                      • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                      • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                      • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                      • API String ID: 738084811-1354618412
                                      • Opcode ID: 8d58fbfb6190c3f3b09755e9cec4986d803daceaa2324f9e2d03a17bc5feb97a
                                      • Instruction ID: 3073296416e4f75d74a960dba2816641598052066ba22d453d93bca4cbe87184
                                      • Opcode Fuzzy Hash: 8d58fbfb6190c3f3b09755e9cec4986d803daceaa2324f9e2d03a17bc5feb97a
                                      • Instruction Fuzzy Hash: 4E51A5B12442056ED714B731DC96EBF379CDB80359F10053FB24A621E2EF789D4986AE
                                      Function 00401CE9 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401D55
                                      • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401D7F
                                      • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401D8F
                                      • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401D9F
                                      • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401DAF
                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401DBF
                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401DD0
                                      • WriteFile.KERNEL32(00000000,00472ACA,00000002,00000000,00000000), ref: 00401DE1
                                      • WriteFile.KERNEL32(00000000,00472ACC,00000004,00000000,00000000), ref: 00401DF1
                                      • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401E01
                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401E12
                                      • WriteFile.KERNEL32(00000000,00472AD6,00000002,00000000,00000000), ref: 00401E23
                                      • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401E33
                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401E43
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Write$Create
                                      • String ID: RIFF$WAVE$data$fmt
                                      • API String ID: 1602526932-4212202414
                                      • Opcode ID: 827ce642555df21a050573d9d5a330f37f16d9829fec6a71b542a6fa22e9225d
                                      • Instruction ID: 52f5d26e7cd893c7c7a939122a780f0294375d64c437cdec10b118f5e091287a
                                      • Opcode Fuzzy Hash: 827ce642555df21a050573d9d5a330f37f16d9829fec6a71b542a6fa22e9225d
                                      • Instruction Fuzzy Hash: 61414D72644208BAE210DB51DD85FBB7FECEB89F54F40041AFA44D6081E7A5E909DBB3
                                      Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe,00000001,00407688,C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe,00000003,004076B0,@*|,00407709), ref: 004072BF
                                      • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                      • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                      • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                      • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                      • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                      • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                      • API String ID: 1646373207-1466272809
                                      • Opcode ID: acc633f1adce617efce258e7e3813168510e5abee68bf21287a11e169d765cdb
                                      • Instruction ID: 830827c477b4c5a159b6e54fb752daf43fd3ce12eed95b51e760902f95858ec4
                                      • Opcode Fuzzy Hash: acc633f1adce617efce258e7e3813168510e5abee68bf21287a11e169d765cdb
                                      • Instruction Fuzzy Hash: 66015EA0E4431676DB116F7AAD44D5B7EDD9E41351311087BB405E2292EEBCE800C9AE
                                      Function 0040CE34 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 0040CE42
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750F4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                      • CopyFileW.KERNEL32(C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,004750F4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                      • _wcslen.LIBCMT ref: 0040CF21
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                      • CopyFileW.KERNEL32(C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe,00000000,00000000), ref: 0040CFBF
                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                      • _wcslen.LIBCMT ref: 0040D001
                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750F4,0000000E), ref: 0040D068
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                      • ExitProcess.KERNEL32 ref: 0040D09D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                      • String ID: 6$@*|$C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe$del$open$xdF
                                      • API String ID: 1579085052-1170721743
                                      • Opcode ID: 0fa9b5b1dd786efaf3be6b7155859af5081faa42a1eb35d72d6144a2fd8a8eb1
                                      • Instruction ID: ff97e746579a928a3d51456624c9bd3823d06e613cf3e42bd6c526c8f9e3827f
                                      • Opcode Fuzzy Hash: 0fa9b5b1dd786efaf3be6b7155859af5081faa42a1eb35d72d6144a2fd8a8eb1
                                      • Instruction Fuzzy Hash: 8051C620208302ABD615B7769C92A6F67999F84719F10443FF609BA1E3EF7C9C05866E
                                      Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                      • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                      • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                      • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                      • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                      • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                      • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                      • _wcslen.LIBCMT ref: 0041C1CC
                                      • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                      • GetLastError.KERNEL32 ref: 0041C204
                                      • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                      • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                      • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                      • GetLastError.KERNEL32 ref: 0041C261
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                      • String ID: ?
                                      • API String ID: 3941738427-1684325040
                                      • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                      • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                      • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                      • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                      Function 0044F4AD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$EnvironmentVariable$_wcschr
                                      • String ID:
                                      • API String ID: 3899193279-0
                                      • Opcode ID: 28687395a6aa2078608bd89f57b343956b66557142a9620950dd617db5e8e69e
                                      • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                      • Opcode Fuzzy Hash: 28687395a6aa2078608bd89f57b343956b66557142a9620950dd617db5e8e69e
                                      • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                      Function 00412AEF Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 482sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                        • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,00475300), ref: 0041BA30
                                        • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                        • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                      • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                      • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                      • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                      • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                      • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                      • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                      • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                      • Sleep.KERNEL32(00000064), ref: 00412ECF
                                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                      • String ID: /stext "$,aF$@TG$@TG
                                      • API String ID: 1223786279-971885606
                                      • Opcode ID: fec93c9289c1766bf46719126c79de9011d1f9e0700ce836de87cdf7ea2c4a35
                                      • Instruction ID: 54c64e465a66050ec466d83b34d0c9889d7f3cdaa7358c1e9e14d2467042f0e2
                                      • Opcode Fuzzy Hash: fec93c9289c1766bf46719126c79de9011d1f9e0700ce836de87cdf7ea2c4a35
                                      • Instruction Fuzzy Hash: 5B0268315083414AC325FB62D891AEFB3E5AFD0348F50483FF58A971E2EF785A49C65A
                                      Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                      • GetCursorPos.USER32(?), ref: 0041D67A
                                      • SetForegroundWindow.USER32(?), ref: 0041D683
                                      • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                      • Shell_NotifyIconA.SHELL32(00000002,00474B58), ref: 0041D6EE
                                      • ExitProcess.KERNEL32 ref: 0041D6F6
                                      • CreatePopupMenu.USER32 ref: 0041D6FC
                                      • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                      • String ID: Close
                                      • API String ID: 1657328048-3535843008
                                      • Opcode ID: 73816c5193d16127c0aec765399ca9dfe531eb1d692a29e38a1feb3416d684dd
                                      • Instruction ID: b66198a42bffced696eb94d9f3abdc54ecf3157c52e3fd06dc0985426ba48be4
                                      • Opcode Fuzzy Hash: 73816c5193d16127c0aec765399ca9dfe531eb1d692a29e38a1feb3416d684dd
                                      • Instruction Fuzzy Hash: 51216BB1500208FFDF054FA4ED0EAAA7B35EB08302F000125FA19950B2D779EDA1EB18
                                      Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$Info
                                      • String ID:
                                      • API String ID: 2509303402-0
                                      • Opcode ID: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                      • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                      • Opcode Fuzzy Hash: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                      • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                      Function 00408BB5 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                      • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                      • __aulldiv.LIBCMT ref: 00408D88
                                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                        • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                      • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                      • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                      • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                      • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                      • CloseHandle.KERNEL32(00000000), ref: 00409037
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                      • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $xdF
                                      • API String ID: 3086580692-731956494
                                      • Opcode ID: 966f2b8a52828e5852c36c7200f095a726508005ada64ea9ce90e921c0413125
                                      • Instruction ID: 2d1ece25e1b497defd969945f9de4b01d63c4d7912a1bb42583949d7b10afa87
                                      • Opcode Fuzzy Hash: 966f2b8a52828e5852c36c7200f095a726508005ada64ea9ce90e921c0413125
                                      • Instruction Fuzzy Hash: 76B1A0316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB9B
                                      Function 0040D83A Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 148COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                        • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                        • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475300), ref: 0041374F
                                        • Part of subcall function 00413733: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                        • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                      • ExitProcess.KERNEL32 ref: 0040D9FF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                      • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$HSG$Temp$exepath$open$xdF
                                      • API String ID: 1913171305-3121233398
                                      • Opcode ID: a6785ec93dcaa828c2725d5a80a16d8a1d64272e6ee7c762ad3af656f080ac9c
                                      • Instruction ID: 050033375253242a90a907d975c9615f3488646990559cd5331657e2136e0730
                                      • Opcode Fuzzy Hash: a6785ec93dcaa828c2725d5a80a16d8a1d64272e6ee7c762ad3af656f080ac9c
                                      • Instruction Fuzzy Hash: 514139319001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E4ACA98
                                      Function 00414DC1 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                      • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                      • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                      • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                      • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                      • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                      • String ID: \ws2_32$\wship6$getaddrinfo
                                      • API String ID: 2490988753-3078833738
                                      • Opcode ID: 93ac1047b93552b97dd98974212ca4d4f14522e3aac142c7c555de1a9c5e5d12
                                      • Instruction ID: 3afff981d8ce70f6205f85204df1f21ec1f12b20cff6a054e3a0857f0929e507
                                      • Opcode Fuzzy Hash: 93ac1047b93552b97dd98974212ca4d4f14522e3aac142c7c555de1a9c5e5d12
                                      • Instruction Fuzzy Hash: 3231C2B2906315ABD7209F65CC84EDF76DCAB84754F004A2AF984A3211D738D985CBAE
                                      Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 0045138A
                                        • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                        • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                        • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                        • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                        • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                        • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                        • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                        • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                        • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                        • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                        • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                        • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                        • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                      • _free.LIBCMT ref: 0045137F
                                        • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                        • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                      • _free.LIBCMT ref: 004513A1
                                      • _free.LIBCMT ref: 004513B6
                                      • _free.LIBCMT ref: 004513C1
                                      • _free.LIBCMT ref: 004513E3
                                      • _free.LIBCMT ref: 004513F6
                                      • _free.LIBCMT ref: 00451404
                                      • _free.LIBCMT ref: 0045140F
                                      • _free.LIBCMT ref: 00451447
                                      • _free.LIBCMT ref: 0045144E
                                      • _free.LIBCMT ref: 0045146B
                                      • _free.LIBCMT ref: 00451483
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID:
                                      • API String ID: 161543041-0
                                      • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                      • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                      • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                      • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                      Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                      • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                      • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                      • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                      Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                      • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                      • closesocket.WS2_32(000000FF), ref: 00404E5A
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                      • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                      • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                      • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                      • String ID:
                                      • API String ID: 3658366068-0
                                      • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                      • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                      • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                      • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                      Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                      • GetLastError.KERNEL32 ref: 00455D6F
                                      • __dosmaperr.LIBCMT ref: 00455D76
                                      • GetFileType.KERNEL32(00000000), ref: 00455D82
                                      • GetLastError.KERNEL32 ref: 00455D8C
                                      • __dosmaperr.LIBCMT ref: 00455D95
                                      • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                      • CloseHandle.KERNEL32(?), ref: 00455EFF
                                      • GetLastError.KERNEL32 ref: 00455F31
                                      • __dosmaperr.LIBCMT ref: 00455F38
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                      • String ID: H
                                      • API String ID: 4237864984-2852464175
                                      • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                      • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                      • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                      • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                      Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID: \&G$\&G$`&G
                                      • API String ID: 269201875-253610517
                                      • Opcode ID: d7fd4124445081cfc97c5454a1c142f1a87d4c625925bb8ca3a98cb7b9f8d762
                                      • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                      • Opcode Fuzzy Hash: d7fd4124445081cfc97c5454a1c142f1a87d4c625925bb8ca3a98cb7b9f8d762
                                      • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                      Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 65535$udp
                                      • API String ID: 0-1267037602
                                      • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                      • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                      • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                      • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                      Function 0041697B Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32 ref: 0041697C
                                      • EmptyClipboard.USER32 ref: 0041698A
                                      • CloseClipboard.USER32 ref: 00416990
                                      • OpenClipboard.USER32 ref: 00416997
                                      • GetClipboardData.USER32(0000000D), ref: 004169A7
                                      • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                      • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                      • CloseClipboard.USER32 ref: 004169BF
                                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                      • String ID: !D@$xdF
                                      • API String ID: 2172192267-3540039394
                                      • Opcode ID: 6e7a658acb981bf194e97a1bd3e3b97bf04fb426e11316d22ad3474e21385c8b
                                      • Instruction ID: 51ec5b3583c04982a71d168622c94cade283f75070810aedfe93923cca0dc87c
                                      • Opcode Fuzzy Hash: 6e7a658acb981bf194e97a1bd3e3b97bf04fb426e11316d22ad3474e21385c8b
                                      • Instruction Fuzzy Hash: 41014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                      Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                      • GetLastError.KERNEL32(?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                      • __dosmaperr.LIBCMT ref: 0043A926
                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                      • GetLastError.KERNEL32(?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                      • __dosmaperr.LIBCMT ref: 0043A963
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401BD9,?), ref: 0043A9A6
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,00401BD9,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                      • __dosmaperr.LIBCMT ref: 0043A9B7
                                      • _free.LIBCMT ref: 0043A9C3
                                      • _free.LIBCMT ref: 0043A9CA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                      • String ID:
                                      • API String ID: 2441525078-0
                                      • Opcode ID: 9262cdba7b4adcfb063e64ce379082e8e02018adb4241b1373288f504c0df5cf
                                      • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                      • Opcode Fuzzy Hash: 9262cdba7b4adcfb063e64ce379082e8e02018adb4241b1373288f504c0df5cf
                                      • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                      Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(?,?), ref: 004054BF
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                      • TranslateMessage.USER32(?), ref: 0040557E
                                      • DispatchMessageA.USER32(?), ref: 00405589
                                      • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F88), ref: 00405641
                                      • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                      • String ID: CloseChat$DisplayMessage$GetMessage
                                      • API String ID: 2956720200-749203953
                                      • Opcode ID: bb29f532cbff4e4936c62511684b77f9061ec6679f6d2234e893f2ded877dd36
                                      • Instruction ID: af141abdc89e6f99b360bf73ca1bd21391e8bea30a055eafc68b1e1601de11b4
                                      • Opcode Fuzzy Hash: bb29f532cbff4e4936c62511684b77f9061ec6679f6d2234e893f2ded877dd36
                                      • Instruction Fuzzy Hash: 6F419E71604301ABCB14FB76DC5A86F37A9AB85704F40493EF516A32E1EF3C8905CB9A
                                      Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                      • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                      • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                      • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                      • String ID: <$@$@VG$@VG$Temp
                                      • API String ID: 1704390241-1291085672
                                      • Opcode ID: 48174c96874ddb1bc79234c66e05c6785ff65f59bcf2873874e0dc4e48980577
                                      • Instruction ID: 17e4c8e037c7e297ff37edeb8814921eaebe5ca95f3622e3753009d7d6553322
                                      • Opcode Fuzzy Hash: 48174c96874ddb1bc79234c66e05c6785ff65f59bcf2873874e0dc4e48980577
                                      • Instruction Fuzzy Hash: 15417E319002199ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                      Function 00410E9C Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                      • int.LIBCPMT ref: 00410EBC
                                        • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                        • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                      • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                      • __Init_thread_footer.LIBCMT ref: 00410F64
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                      • String ID: <kG$@!G$@kG
                                      • API String ID: 3815856325-4100743575
                                      • Opcode ID: 92c60c4b3aca24074658904995ff5281d88556c34e2f97828f11a1926fe6b537
                                      • Instruction ID: 0588f859592fb32d2b707c82d02c9514845f82bff388d80d729849e078334d39
                                      • Opcode Fuzzy Hash: 92c60c4b3aca24074658904995ff5281d88556c34e2f97828f11a1926fe6b537
                                      • Instruction Fuzzy Hash: 622107329005249BCB14FBAAD8429DE7769DF48324F21416FF904E72D1DBB9AD818BDC
                                      Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                      • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: f3cbb515e58a4fb37b38339a7557c8d97296d1e23fa900708d81cf8e9cd3026f
                                      • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                      • Opcode Fuzzy Hash: f3cbb515e58a4fb37b38339a7557c8d97296d1e23fa900708d81cf8e9cd3026f
                                      • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                      Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 004481B5
                                        • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                        • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                      • _free.LIBCMT ref: 004481C1
                                      • _free.LIBCMT ref: 004481CC
                                      • _free.LIBCMT ref: 004481D7
                                      • _free.LIBCMT ref: 004481E2
                                      • _free.LIBCMT ref: 004481ED
                                      • _free.LIBCMT ref: 004481F8
                                      • _free.LIBCMT ref: 00448203
                                      • _free.LIBCMT ref: 0044820E
                                      • _free.LIBCMT ref: 0044821C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                      • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                      • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                      • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                      Function 0041A045 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 0041A04A
                                      • GdiplusStartup.GDIPLUS(00474AE0,?,00000000), ref: 0041A07C
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                      • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                      • GetLocalTime.KERNEL32(?), ref: 0041A196
                                      • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                      • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                      • API String ID: 489098229-3790400642
                                      • Opcode ID: 49b368db4e9e7e60bbeb8abd80ae96f82f19b5c1f99d9777cf0882a092ba5413
                                      • Instruction ID: ac563f1b8c988fbcbdb25ffa0f060f034023d1de15a29d9718e9897573209577
                                      • Opcode Fuzzy Hash: 49b368db4e9e7e60bbeb8abd80ae96f82f19b5c1f99d9777cf0882a092ba5413
                                      • Instruction Fuzzy Hash: 3F518E70A00215AACB14BBB5C8529FD77A9AF54308F40403FF509AB1E2EF7C4D85C799
                                      Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                        • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                      • Sleep.KERNEL32(00000064), ref: 0041755C
                                      • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CreateDeleteExecuteShellSleep
                                      • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                      • API String ID: 1462127192-2001430897
                                      • Opcode ID: d77e28aa0d71a2c0645bdac896068900cc72b96445f33e651967d26bcbdf3e2a
                                      • Instruction ID: 4d831fdf2c11e0d815db77489a542135a470e493f6e320739c61594aa9f7fbeb
                                      • Opcode Fuzzy Hash: d77e28aa0d71a2c0645bdac896068900cc72b96445f33e651967d26bcbdf3e2a
                                      • Instruction Fuzzy Hash: A4313D71940119AADB04FBA1DC96DED7739AF50309F00017EF606731E2EF785A8ACA9C
                                      Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00472B28,00000000,?,00003000,00000004,00000000,00000001), ref: 00407418
                                      • GetCurrentProcess.KERNEL32(00472B28,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe), ref: 004074D9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CurrentProcess
                                      • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                      • API String ID: 2050909247-4242073005
                                      • Opcode ID: 1a1eb9634b651143de70fee5b7a2289a57af99024fb0b6e7e4d2875ac9661c3b
                                      • Instruction ID: b8c3dc73ce560081c95a6921e0e4b034ac7c55c8f908ce4a4bfc67d5bc942e58
                                      • Opcode Fuzzy Hash: 1a1eb9634b651143de70fee5b7a2289a57af99024fb0b6e7e4d2875ac9661c3b
                                      • Instruction Fuzzy Hash: 7631C271604700ABD311EF65DE46F1677A8FB48315F10087EF509E6292DBB8B8418B6E
                                      Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                        • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                        • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                        • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                      • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                      • lstrcpynA.KERNEL32(00474B70,Remcos,00000080), ref: 0041D558
                                      • Shell_NotifyIconA.SHELL32(00000000,00474B58), ref: 0041D56E
                                      • TranslateMessage.USER32(?), ref: 0041D57A
                                      • DispatchMessageA.USER32(?), ref: 0041D584
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                      • String ID: Remcos
                                      • API String ID: 1970332568-165870891
                                      • Opcode ID: 731e0475cdd51c62647780fa2fa3280f65193767bc99efc51189d173a824088e
                                      • Instruction ID: c2fc9e39e559a2afed00746d39c192473857db467f2681b349ddfe36236392a3
                                      • Opcode Fuzzy Hash: 731e0475cdd51c62647780fa2fa3280f65193767bc99efc51189d173a824088e
                                      • Instruction Fuzzy Hash: 11015EB1840348EBD7109FA1EC4CFABBBBCABC5705F00406AF505921A1D7B8E885CB6D
                                      Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2617abffa626f75de14076698c196880abdc2722d48b4afa90194addc5c06332
                                      • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                      • Opcode Fuzzy Hash: 2617abffa626f75de14076698c196880abdc2722d48b4afa90194addc5c06332
                                      • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                      Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCPInfo.KERNEL32(?,?), ref: 00453EAF
                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453F32
                                      • __alloca_probe_16.LIBCMT ref: 00453F6A
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00453FC5
                                      • __alloca_probe_16.LIBCMT ref: 00454014
                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00453FDC
                                        • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00454058
                                      • __freea.LIBCMT ref: 00454083
                                      • __freea.LIBCMT ref: 0045408F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                      • String ID:
                                      • API String ID: 201697637-0
                                      • Opcode ID: 38c45374c982bab9fdca9225a0eff17244eb70fd61b25fca2b6ccb3a02645299
                                      • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                      • Opcode Fuzzy Hash: 38c45374c982bab9fdca9225a0eff17244eb70fd61b25fca2b6ccb3a02645299
                                      • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                      Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                        • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                      • _memcmp.LIBVCRUNTIME ref: 004454A4
                                      • _free.LIBCMT ref: 00445515
                                      • _free.LIBCMT ref: 0044552E
                                      • _free.LIBCMT ref: 00445560
                                      • _free.LIBCMT ref: 00445569
                                      • _free.LIBCMT ref: 00445575
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorLast$_abort_memcmp
                                      • String ID: C
                                      • API String ID: 1679612858-1037565863
                                      • Opcode ID: cea386491646d7d3f1b23945ae788b4f36899b89ad91b0431e936bcc0a348579
                                      • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                      • Opcode Fuzzy Hash: cea386491646d7d3f1b23945ae788b4f36899b89ad91b0431e936bcc0a348579
                                      • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                      Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: tcp$udp
                                      • API String ID: 0-3725065008
                                      • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                      • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                      • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                      • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                      Function 00411530 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Eventinet_ntoa
                                      • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                      • API String ID: 3578746661-168337528
                                      • Opcode ID: a03d1adf9f4d24460575b4b506fb4f9aa5cd3765f54f836e8a5c879b1408514f
                                      • Instruction ID: cd9a01f22de2d9f6a9994d78948339ea64d6c0f71f497d0a384e35af32d82467
                                      • Opcode Fuzzy Hash: a03d1adf9f4d24460575b4b506fb4f9aa5cd3765f54f836e8a5c879b1408514f
                                      • Instruction Fuzzy Hash: 0E51C531A042015BC724FB36D95AAAE36A5AB80344F40453FF606576F2EF7C8985C7DE
                                      Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EF0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                      • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                      • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                      • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                      • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                        • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474F08,00404C49,00000000,00000000,00000000,?,00474F08,?), ref: 00404BA5
                                        • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                      • String ID: .part
                                      • API String ID: 1303771098-3499674018
                                      • Opcode ID: 2150a189df16d023aaea6f06597ff48a5e6b6566d5180279f80c020d780b3e8b
                                      • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                      • Opcode Fuzzy Hash: 2150a189df16d023aaea6f06597ff48a5e6b6566d5180279f80c020d780b3e8b
                                      • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                      Function 00401B8F Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      • _strftime.LIBCMT ref: 00401BD4
                                        • Part of subcall function 00401CE9: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401D55
                                      • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401C86
                                      • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CC4
                                      • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CD3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                      • String ID: %Y-%m-%d %H.%M$.wav$tMG
                                      • API String ID: 3809562944-3627046146
                                      • Opcode ID: 774d76beef9008db32f03f03aba53f46b293a4d454c50c356403b75a824fba62
                                      • Instruction ID: 77224d9c3c18060e3821781750c24aeed92f5db76bec914a8a88ddbccf287b9a
                                      • Opcode Fuzzy Hash: 774d76beef9008db32f03f03aba53f46b293a4d454c50c356403b75a824fba62
                                      • Instruction Fuzzy Hash: 5F3181315043019FC325EB62DD46A9A77A8FB84319F40443EF149A31F2EFB89949CB9A
                                      Function 0041CE2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • AllocConsole.KERNEL32(00475348), ref: 0041CE35
                                      • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                      • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                      • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Console$Window$AllocOutputShow
                                      • String ID: Remcos v$5.2.0 Pro$CONOUT$
                                      • API String ID: 4067487056-793934204
                                      • Opcode ID: 4ac208d8a2a9dd681627466f3850d62ccb8bf7ad48dd9727624a0f6f50ade13e
                                      • Instruction ID: a031bdd2f27af694b11ce09d1e3c688e218bb3586dee27dfc95755d0e541b829
                                      • Opcode Fuzzy Hash: 4ac208d8a2a9dd681627466f3850d62ccb8bf7ad48dd9727624a0f6f50ade13e
                                      • Instruction Fuzzy Hash: 2D014471A80304BBD610F7F19D8BF9EB7AC9B18B05F500527BA04A70D2EB6DD944466E
                                      Function 0040729B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40COMMON
                                      Download Yara Rule
                                      Strings
                                      • xdF, xrefs: 004076E4
                                      • @*|, xrefs: 004076DF
                                      • C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, xrefs: 004076FF
                                      • shilajit-ISLNRR, xrefs: 00407715
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: @*|$C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe$shilajit-ISLNRR$xdF
                                      • API String ID: 0-3766806777
                                      • Opcode ID: bfa82963eea25e7f3a1000047237d0892740d3b416b353ce1bd886ed4ccf4a83
                                      • Instruction ID: 8e81a4762a03630119b5543cf4782e43f3d691fcab72f30749e56a9243805afb
                                      • Opcode Fuzzy Hash: bfa82963eea25e7f3a1000047237d0892740d3b416b353ce1bd886ed4ccf4a83
                                      • Instruction Fuzzy Hash: 08F0F6B0A14141ABCB1067355D286AA3756A784397F00487BF547FB2F2EBBD5C82861E
                                      Function 0044ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                      • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                      • __alloca_probe_16.LIBCMT ref: 0044AE40
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                      • __freea.LIBCMT ref: 0044AEB0
                                        • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                      • __freea.LIBCMT ref: 0044AEB9
                                      • __freea.LIBCMT ref: 0044AEDE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                      • String ID:
                                      • API String ID: 3864826663-0
                                      • Opcode ID: fdde0a3fba0e2e79fb92f6962f835a9100c7e8c667bc286140aaf21858552f70
                                      • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                      • Opcode Fuzzy Hash: fdde0a3fba0e2e79fb92f6962f835a9100c7e8c667bc286140aaf21858552f70
                                      • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                      Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendInput.USER32 ref: 00419A25
                                      • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                      • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                        • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InputSend$Virtual
                                      • String ID:
                                      • API String ID: 1167301434-0
                                      • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                      • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                      • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                      • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                      Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __freea$__alloca_probe_16_free
                                      • String ID: a/p$am/pm$h{D
                                      • API String ID: 2936374016-2303565833
                                      • Opcode ID: f278f6ccdddd9c8957b45727c0f983370dbb743190d53240140d279861cd7d37
                                      • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                      • Opcode Fuzzy Hash: f278f6ccdddd9c8957b45727c0f983370dbb743190d53240140d279861cd7d37
                                      • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                      Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                      • _free.LIBCMT ref: 00444E87
                                      • _free.LIBCMT ref: 00444E9E
                                      • _free.LIBCMT ref: 00444EBD
                                      • _free.LIBCMT ref: 00444ED8
                                      • _free.LIBCMT ref: 00444EEF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$AllocateHeap
                                      • String ID: KED
                                      • API String ID: 3033488037-2133951994
                                      • Opcode ID: 608df991a786fcfe36087b9db06c0af1d3846aff496c4c9c780995c6b43937c3
                                      • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                      • Opcode Fuzzy Hash: 608df991a786fcfe36087b9db06c0af1d3846aff496c4c9c780995c6b43937c3
                                      • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                      Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                      • __fassign.LIBCMT ref: 0044B4F9
                                      • __fassign.LIBCMT ref: 0044B514
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                      • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B559
                                      • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B592
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID:
                                      • API String ID: 1324828854-0
                                      • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                      • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                      • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                      • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                      Function 0040186A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 004018BE
                                      • ExitThread.KERNEL32 ref: 004018F6
                                      • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EF0,00000000), ref: 00401A04
                                        • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                      • String ID: `kG$hMG$kG
                                      • API String ID: 1649129571-3851552405
                                      • Opcode ID: 7e438f7e0de7e1a48061060bf47163465fed72e99f71de3365297fa9ff44aa49
                                      • Instruction ID: dc699b77c08b599092ddf19de7d80486fcd8c0a7edd7622242773fc29a9484b7
                                      • Opcode Fuzzy Hash: 7e438f7e0de7e1a48061060bf47163465fed72e99f71de3365297fa9ff44aa49
                                      • Instruction Fuzzy Hash: 3441C2312042009BC324FB36DD96ABE73A6AB85354F00453FF54AA61F1DF38AD4AC61E
                                      Function 0041B71B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750F4), ref: 00413678
                                        • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                        • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                        • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                        • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                      • _wcslen.LIBCMT ref: 0041B7F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                      • String ID: .exe$HSG$http\shell\open\command$program files (x86)\$program files\
                                      • API String ID: 3286818993-930133217
                                      • Opcode ID: b86b44ed08d52466cfc9a3801a6d71745e254f0deb3e8f8ed9e40c284f2e6556
                                      • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                      • Opcode Fuzzy Hash: b86b44ed08d52466cfc9a3801a6d71745e254f0deb3e8f8ed9e40c284f2e6556
                                      • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                      Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                        • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                        • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                      • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                      • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                      • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                      • API String ID: 1133728706-4073444585
                                      • Opcode ID: c205dfe74dbda60eacb93fa3a46cd8cf8d8bdcdf87e24bc8b84adc5102ad8f0a
                                      • Instruction ID: 7718d61ab729039ae94473664947c91a52367f601ff6055b29c84dcba8ed2574
                                      • Opcode Fuzzy Hash: c205dfe74dbda60eacb93fa3a46cd8cf8d8bdcdf87e24bc8b84adc5102ad8f0a
                                      • Instruction Fuzzy Hash: E7215230A40219A6CB14F7F1CC969EE7729AF50744F80017FE502B71D1EB7D6945C6DA
                                      Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f00b1ad24c7174d2716471ab0982682010261559510d9071992da7a4292711ea
                                      • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                      • Opcode Fuzzy Hash: f00b1ad24c7174d2716471ab0982682010261559510d9071992da7a4292711ea
                                      • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                      Function 00401A6D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401A7D
                                      • waveInOpen.WINMM(00472AC0,000000FF,00472AC8,Function_00001B8F,00000000,00000000,00000024), ref: 00401B13
                                      • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401B67
                                      • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401B76
                                      • waveInStart.WINMM ref: 00401B82
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                      • String ID: tMG
                                      • API String ID: 1356121797-30866661
                                      • Opcode ID: a32bf82f151408e5f3abe306aa4422ab47744250154bd8f7e0bff8bea5466356
                                      • Instruction ID: cbef553d477d36f78321a165484ecc4410fcecc505b8f9aca62d01b994c6c3e6
                                      • Opcode Fuzzy Hash: a32bf82f151408e5f3abe306aa4422ab47744250154bd8f7e0bff8bea5466356
                                      • Instruction Fuzzy Hash: 8E2148716042019FC7299F6AEE09A697BAAFB84711B04403EE10DD76F1DBF848C5CB2C
                                      Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                      • _free.LIBCMT ref: 00450FC8
                                        • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                        • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                      • _free.LIBCMT ref: 00450FD3
                                      • _free.LIBCMT ref: 00450FDE
                                      • _free.LIBCMT ref: 00451032
                                      • _free.LIBCMT ref: 0045103D
                                      • _free.LIBCMT ref: 00451048
                                      • _free.LIBCMT ref: 00451053
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                      • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                      • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                      • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                      Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                      • int.LIBCPMT ref: 004111BE
                                        • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                        • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                      • std::_Facet_Register.LIBCPMT ref: 004111FE
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                      • String ID: 8mG
                                      • API String ID: 2536120697-3990007011
                                      • Opcode ID: 14799048d37b477e6c40f7e8d4f0e89b1ed2b05bcd10956721a24fc1261bb2b4
                                      • Instruction ID: 3a14b803bc510f5ed1108d30ac07207671fc4f07faef22c9ffd8c11cb1ae2def
                                      • Opcode Fuzzy Hash: 14799048d37b477e6c40f7e8d4f0e89b1ed2b05bcd10956721a24fc1261bb2b4
                                      • Instruction Fuzzy Hash: D3112332900124A7CB14EBAAD8018DEBBA99F44364F11456FFE04B72E1DB789E41CBD8
                                      Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                      • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastValue___vcrt_
                                      • String ID:
                                      • API String ID: 3852720340-0
                                      • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                      • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                      • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                      • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                      Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe), ref: 0040760B
                                        • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                        • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                      • CoUninitialize.OLE32 ref: 00407664
                                      Strings
                                      • [+] before ShellExec, xrefs: 0040762C
                                      • [+] ucmCMLuaUtilShellExecMethod, xrefs: 004075F0
                                      • [+] ShellExec success, xrefs: 00407649
                                      • C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, xrefs: 004075EB, 004075EE, 00407640
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InitializeObjectUninitialize_wcslen
                                      • String ID: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                      • API String ID: 3851391207-3570722308
                                      • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                      • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                      • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                      • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                      Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                      • GetLastError.KERNEL32 ref: 0040BB22
                                      Strings
                                      • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                      • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                      • UserProfile, xrefs: 0040BAE8
                                      • [Chrome Cookies not found], xrefs: 0040BB3C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteErrorFileLast
                                      • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                      • API String ID: 2018770650-304995407
                                      • Opcode ID: 7bdd53de2c7ce75327e0ce8a061dea47c63620c1b54bd56443db715df27270fd
                                      • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                      • Opcode Fuzzy Hash: 7bdd53de2c7ce75327e0ce8a061dea47c63620c1b54bd56443db715df27270fd
                                      • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                      Function 004440E8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00444106
                                        • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                        • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                      • _free.LIBCMT ref: 00444118
                                      • _free.LIBCMT ref: 0044412B
                                      • _free.LIBCMT ref: 0044413C
                                      • _free.LIBCMT ref: 0044414D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID: 8N|
                                      • API String ID: 776569668-3799003814
                                      • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                      • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                      • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                      • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                      Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                      Download Yara Rule
                                      APIs
                                      • __allrem.LIBCMT ref: 0043ACE9
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                      • __allrem.LIBCMT ref: 0043AD1C
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                      • __allrem.LIBCMT ref: 0043AD51
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                      • String ID:
                                      • API String ID: 1992179935-0
                                      • Opcode ID: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                      • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                      • Opcode Fuzzy Hash: 52068ab3a7cfe922dfe01ed446ba536eb0656cd97dd847f62b494b0202e28e08
                                      • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                      Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                        • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: H_prologSleep
                                      • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$XNG
                                      • API String ID: 3469354165-985523790
                                      • Opcode ID: 07df79d1def3ea8d0f0114adccc6152b0d50d4d25af5b96514c935137a49def7
                                      • Instruction ID: 7593a199e81997f2aad1dc538160579efde4e563a54277089fa649d8e7e3dbe8
                                      • Opcode Fuzzy Hash: 07df79d1def3ea8d0f0114adccc6152b0d50d4d25af5b96514c935137a49def7
                                      • Instruction Fuzzy Hash: 2A51E0B1A042106BCA14FB369D0A66E3655ABC4748F00443FFA09676E2DF7D8E46839E
                                      Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                      • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                      • GetNativeSystemInfo.KERNEL32(?,0040D2DD,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                      • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                        • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                      • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                      • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                        • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                        • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                      • String ID:
                                      • API String ID: 3950776272-0
                                      • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                      • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                      • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                      • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                      Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __cftoe
                                      • String ID:
                                      • API String ID: 4189289331-0
                                      • Opcode ID: d4cf2da0f410fbcc7cbee81c0db44e16d3fe49bd9b5005f3a7d0ddff8059c7c7
                                      • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                      • Opcode Fuzzy Hash: d4cf2da0f410fbcc7cbee81c0db44e16d3fe49bd9b5005f3a7d0ddff8059c7c7
                                      • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                      Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                      • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                      • String ID:
                                      • API String ID: 493672254-0
                                      • Opcode ID: 305a945f5ae16c96e2f06c84d41aa4012af85c485f9c974a0b1ca90fe9e389de
                                      • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                      • Opcode Fuzzy Hash: 305a945f5ae16c96e2f06c84d41aa4012af85c485f9c974a0b1ca90fe9e389de
                                      • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                      Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                      • _free.LIBCMT ref: 004482CC
                                      • _free.LIBCMT ref: 004482F4
                                      • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                      • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                      • _abort.LIBCMT ref: 00448313
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free$_abort
                                      • String ID:
                                      • API String ID: 3160817290-0
                                      • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                      • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                      • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                      • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                      Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 8eb54fa1672786e09d2219133f0626536d5b5b39631990794a881cefe09f2d9d
                                      • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                      • Opcode Fuzzy Hash: 8eb54fa1672786e09d2219133f0626536d5b5b39631990794a881cefe09f2d9d
                                      • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                      Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                      • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 7d40cec447ae271724922458aab5fd3d84dbec4ea928b02c1f03fd5bbfed4507
                                      • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                      • Opcode Fuzzy Hash: 7d40cec447ae271724922458aab5fd3d84dbec4ea928b02c1f03fd5bbfed4507
                                      • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                      Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                      • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: a0f35f664dbda9af56b5a5da66da559fb3e9fc57b8559f966e995c2fd7636ff5
                                      • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                      • Opcode Fuzzy Hash: a0f35f664dbda9af56b5a5da66da559fb3e9fc57b8559f966e995c2fd7636ff5
                                      • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                      Function 00456C9A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID: @^E
                                      • API String ID: 269201875-2908066071
                                      • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                      • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                      • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                      • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                      Function 00413D48 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 135registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                        • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                        • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                      • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnumInfoOpenQuerysend
                                      • String ID: (aF$,aF$xdF
                                      • API String ID: 3114080316-1322504040
                                      • Opcode ID: 0b9da50034d62b322c9e97ec7b9b2d740b6e189dbc04b3620652c3da3570e91a
                                      • Instruction ID: 9135d8dbad86ad48596e871537d7b2906c3d36c2a7f97e2d86650b4d09e6d137
                                      • Opcode Fuzzy Hash: 0b9da50034d62b322c9e97ec7b9b2d740b6e189dbc04b3620652c3da3570e91a
                                      • Instruction Fuzzy Hash: E341A0316082406AC324FB26D852AEF72A59FD1348F80883FF54A671D6EF7C5D49866E
                                      Function 0040B783 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                      • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Init_thread_footer__onexit
                                      • String ID: [End of clipboard]$[Text copied to clipboard]$ mG$xdF
                                      • API String ID: 1881088180-3895790603
                                      • Opcode ID: a39ea4b818e0b3528c8bb9c5d7a7518586b356a586ec79917f3024ceca11fa06
                                      • Instruction ID: 5c7e69c9d376070a9f10adc198010d279a990252db190bacd7f595afc81a80c0
                                      • Opcode Fuzzy Hash: a39ea4b818e0b3528c8bb9c5d7a7518586b356a586ec79917f3024ceca11fa06
                                      • Instruction Fuzzy Hash: B5216D31A102198ACB14FBA6D8929EDB375AF54318F10403FE506771E2EF7C6D4ACA8C
                                      Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                      • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                      • GetLastError.KERNEL32 ref: 0041D611
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ClassCreateErrorLastRegisterWindow
                                      • String ID: 0$MsgWindowClass
                                      • API String ID: 2877667751-2410386613
                                      • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                      • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                      • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                      • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                      Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                      • CloseHandle.KERNEL32(?), ref: 004077E5
                                      • CloseHandle.KERNEL32(?), ref: 004077EA
                                      Strings
                                      • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                      • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$CreateProcess
                                      • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                      • API String ID: 2922976086-4183131282
                                      • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                      • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                      • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                      • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                      Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                      • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                      • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                      • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                      Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                      • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                        • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                      • String ID: KeepAlive | Disabled
                                      • API String ID: 2993684571-305739064
                                      • Opcode ID: a1239bbaa258f2a34943f968a1ba77755cc365037cc61d007e051ef3d6ef4e82
                                      • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                      • Opcode Fuzzy Hash: a1239bbaa258f2a34943f968a1ba77755cc365037cc61d007e051ef3d6ef4e82
                                      • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                      Function 0041AE51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                      • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                      • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                      • Sleep.KERNEL32(00002710), ref: 0041AE98
                                      • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: PlaySound$HandleLocalModuleSleepTime
                                      • String ID: Alarm triggered
                                      • API String ID: 614609389-2816303416
                                      • Opcode ID: 3a0a6838436f72e464f3f9b922c545e7727b8fea0b38228e9900d288e1fe9cfd
                                      • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                      • Opcode Fuzzy Hash: 3a0a6838436f72e464f3f9b922c545e7727b8fea0b38228e9900d288e1fe9cfd
                                      • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                      Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                      • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                      • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                      • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                      Strings
                                      • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Console$AttributeText$BufferHandleInfoScreen
                                      • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                      • API String ID: 3024135584-2418719853
                                      • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                      • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                      • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                      • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                      Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                      • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                      • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                      • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                      Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                        • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                      • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                        • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475348), ref: 0041C08B
                                        • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,00475348), ref: 0041C096
                                        • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                        • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 2180151492-0
                                      • Opcode ID: bfc89bdae2d650767b4ed35271776d2baa802c3b02b644790fe930e075800330
                                      • Instruction ID: 39de0d33b69ea9088fa68d935cf3ef43cf04ff0480c7130c1a021fac56d243da
                                      • Opcode Fuzzy Hash: bfc89bdae2d650767b4ed35271776d2baa802c3b02b644790fe930e075800330
                                      • Instruction Fuzzy Hash: 8D4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                      Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                      • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                      • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                      • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                      Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                      • __alloca_probe_16.LIBCMT ref: 00451231
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                      • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                      • __freea.LIBCMT ref: 0045129D
                                        • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                      • String ID:
                                      • API String ID: 313313983-0
                                      • Opcode ID: bc12763b399a6208d318c17ed7bb5e89049be1fb7aa338cc20da594798c3f730
                                      • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                      • Opcode Fuzzy Hash: bc12763b399a6208d318c17ed7bb5e89049be1fb7aa338cc20da594798c3f730
                                      • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                      Function 00412716 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 93sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00413733: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,00475300), ref: 0041374F
                                        • Part of subcall function 00413733: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                        • Part of subcall function 00413733: RegCloseKey.KERNEL32(00000000), ref: 00413773
                                      • Sleep.KERNEL32(00000BB8), ref: 004127B5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQuerySleepValue
                                      • String ID: @*|$HSG$exepath$xdF
                                      • API String ID: 4119054056-4003803656
                                      • Opcode ID: c4910f7145f7cabad12a11c825a9982b7c40ce0abb7968876c3fce6d3367946f
                                      • Instruction ID: 7f535f989f64e3217726da85717e45219a172cbdcd35e6ae3f2d68e0f7be43ad
                                      • Opcode Fuzzy Hash: c4910f7145f7cabad12a11c825a9982b7c40ce0abb7968876c3fce6d3367946f
                                      • Instruction Fuzzy Hash: 1F21D8A1B043042BD604B7365D4AAAF724D8B80358F40897FBA56E73D3EEBD9C45826D
                                      Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                        • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                      • _free.LIBCMT ref: 0044F43F
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                      • String ID:
                                      • API String ID: 336800556-0
                                      • Opcode ID: 5500135b4103b87c343acc58efff57d349ffb1ffd5e47bf571a7f4768ca97117
                                      • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                      • Opcode Fuzzy Hash: 5500135b4103b87c343acc58efff57d349ffb1ffd5e47bf571a7f4768ca97117
                                      • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                      Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                      • _free.LIBCMT ref: 00448353
                                      • _free.LIBCMT ref: 0044837A
                                      • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                      • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                      • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                      • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                      • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                      Function 0041C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                      • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                      • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CloseHandleOpen$FileImageName
                                      • String ID:
                                      • API String ID: 2951400881-0
                                      • Opcode ID: ba3ea50cb646477030606071dcac17ec13321efbd804a8471714c0f1fa06d59f
                                      • Instruction ID: eb9e11a2b0883253d54455b1eb0df9c10e535dd1e95c930e162dea6fb874dde8
                                      • Opcode Fuzzy Hash: ba3ea50cb646477030606071dcac17ec13321efbd804a8471714c0f1fa06d59f
                                      • Instruction Fuzzy Hash: 2F01F231680215ABD71066949C8AFA7B66C8B84756F0001ABFA08D2292EE74CD81466A
                                      Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00450A54
                                        • Part of subcall function 00446802: RtlFreeHeap.NTDLL(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                        • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                      • _free.LIBCMT ref: 00450A66
                                      • _free.LIBCMT ref: 00450A78
                                      • _free.LIBCMT ref: 00450A8A
                                      • _free.LIBCMT ref: 00450A9C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                      • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                      • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                      • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                      Function 00417627 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowThreadProcessId.USER32(?,?), ref: 0041763E
                                      • GetWindowTextW.USER32(?,?,0000012C), ref: 00417670
                                      • IsWindowVisible.USER32(?), ref: 00417677
                                        • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                        • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessWindow$Open$TextThreadVisible
                                      • String ID: (VG
                                      • API String ID: 3142014140-3443974315
                                      • Opcode ID: 24a09c8c4158ed3c0f2a795a4f0c90660d34be4f6c7f404af54177f4e0279c8e
                                      • Instruction ID: 57afc706987f0d359dfa573bc041c79e98ae29994c94316b8148008c339bd05b
                                      • Opcode Fuzzy Hash: 24a09c8c4158ed3c0f2a795a4f0c90660d34be4f6c7f404af54177f4e0279c8e
                                      • Instruction Fuzzy Hash: 6E7109311082419AC365FB22D8959EFB3E5BFD4308F50493FF18A560E5EF746A49CB8A
                                      Function 00413A90 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                      • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Enum$InfoQueryValue
                                      • String ID: [regsplt]
                                      • API String ID: 3554306468-4262303796
                                      • Opcode ID: 1912cc85047d6fe9aebfeeb23cc0088c2f2b9ee1c1f314ee2953c53dd398c46e
                                      • Instruction ID: fa843d34e07254c46a29a5d4d7bbb73928c81f50e0ccc4a220fcc0531dc04ae2
                                      • Opcode Fuzzy Hash: 1912cc85047d6fe9aebfeeb23cc0088c2f2b9ee1c1f314ee2953c53dd398c46e
                                      • Instruction Fuzzy Hash: DF512C72900219AADB11EB95DC86EEEB77DAF04304F1000BAE505F6191EF746B48CBA9
                                      Function 004434D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe,00000104), ref: 00443515
                                      • _free.LIBCMT ref: 004435E0
                                      • _free.LIBCMT ref: 004435EA
                                      Strings
                                      • C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe, xrefs: 0044350C, 00443513, 00443542, 0044357A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$FileModuleName
                                      • String ID: C:\Users\user\Desktop\17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de8180586cb855.dat-decoded.exe
                                      • API String ID: 2506810119-1641854718
                                      • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                      • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                      • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                      • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                      Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                        • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,00475300), ref: 0041BA30
                                        • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                        • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                        • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                      • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                      • String ID: /sort "Visit Time" /stext "$@NG
                                      • API String ID: 368326130-3944316004
                                      • Opcode ID: 224469ff984c8010abbfb6a0adb632b57bdffdcff036d90cee6eba18a73402bb
                                      • Instruction ID: 88307c0d9f74f86904655d2c31cb74d6ebeba16a9e6c7dae8368527950f1c452
                                      • Opcode Fuzzy Hash: 224469ff984c8010abbfb6a0adb632b57bdffdcff036d90cee6eba18a73402bb
                                      • Instruction Fuzzy Hash: EB316171A001195ACB15FBA6DC969ED7375AF90308F00007FF60AB71E2EF785E49CA99
                                      Function 0044EFD8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                        • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                        • Part of subcall function 0044F0F7: _abort.LIBCMT ref: 0044F129
                                        • Part of subcall function 0044F0F7: _free.LIBCMT ref: 0044F15D
                                        • Part of subcall function 0044ED6C: GetOEMCP.KERNEL32(00000000,?,?,0044EFF5,?), ref: 0044ED97
                                      • _free.LIBCMT ref: 0044F050
                                      • _free.LIBCMT ref: 0044F086
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorLast_abort
                                      • String ID: 8N|$8N|
                                      • API String ID: 2991157371-1039237444
                                      • Opcode ID: 71aca08545de7bb044ad328f8c00ee0f305eefffa63378c1bf8952336139cfaa
                                      • Instruction ID: a9f826519387c1ac895116d2974c89b4af6d1f604a138ae73dd4863203302c4b
                                      • Opcode Fuzzy Hash: 71aca08545de7bb044ad328f8c00ee0f305eefffa63378c1bf8952336139cfaa
                                      • Instruction Fuzzy Hash: 2D31D371900104AFEB10EB69D441B9A77F4EF81325F2540AFE5049B2A3DB7A5D44CB58
                                      Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                      • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                      • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                      Strings
                                      • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                      • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                      • API String ID: 1174141254-1980882731
                                      • Opcode ID: 97a5ada962bae72897b7f94b11cd40aa52c1d6f994a23f407ee9340b66b1d139
                                      • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                      • Opcode Fuzzy Hash: 97a5ada962bae72897b7f94b11cd40aa52c1d6f994a23f407ee9340b66b1d139
                                      • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                      Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                      • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                      • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                      Strings
                                      • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                      • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                      • API String ID: 1174141254-1980882731
                                      • Opcode ID: e30cb4288211014db5c272c31aa753e5001111b8c3c97bf560fde133b4847c17
                                      • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                      • Opcode Fuzzy Hash: e30cb4288211014db5c272c31aa753e5001111b8c3c97bf560fde133b4847c17
                                      • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                      Function 0040B19F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                      • wsprintfW.USER32 ref: 0040B22E
                                        • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EventLocalTimewsprintf
                                      • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                      • API String ID: 1497725170-1359877963
                                      • Opcode ID: 598e0a7c0d0d0e60a2011044f18d65c28a10592999ecdaed1c3cad85e009971a
                                      • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                      • Opcode Fuzzy Hash: 598e0a7c0d0d0e60a2011044f18d65c28a10592999ecdaed1c3cad85e009971a
                                      • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                      Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                        • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                        • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                      • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                      • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                      • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread$LocalTime$wsprintf
                                      • String ID: Online Keylogger Started
                                      • API String ID: 112202259-1258561607
                                      • Opcode ID: a7321385670445bfa9baf585f8c9fa904332ec5059089b328e401a783e90a250
                                      • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                      • Opcode Fuzzy Hash: a7321385670445bfa9baf585f8c9fa904332ec5059089b328e401a783e90a250
                                      • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                      Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                      • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: CryptUnprotectData$crypt32
                                      • API String ID: 2574300362-2380590389
                                      • Opcode ID: b88f03605d096aaa2152f3ebf69acb5fe9b1e31435291808458d2189a413eed3
                                      • Instruction ID: 345ee013d26fc91f442c93551971226c597518e80cf45168a44a65f4e30a47e9
                                      • Opcode Fuzzy Hash: b88f03605d096aaa2152f3ebf69acb5fe9b1e31435291808458d2189a413eed3
                                      • Instruction Fuzzy Hash: 1D01F575A00215BBCB18CFAC8C409AF7BB8EB85300F0041BEE94AE3381DA34AD00CB94
                                      Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                      • CloseHandle.KERNEL32(?), ref: 004051CA
                                      • SetEvent.KERNEL32(?), ref: 004051D9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandleObjectSingleWait
                                      • String ID: Connection Timeout
                                      • API String ID: 2055531096-499159329
                                      • Opcode ID: aea94675e7c534c52cb53f54c205b860b10a02e3c4213e765d5fd14c325240d7
                                      • Instruction ID: 0252d74fe4ede7253ae2eff4a1d35319ac7a80acec65437dc80477e116da68d3
                                      • Opcode Fuzzy Hash: aea94675e7c534c52cb53f54c205b860b10a02e3c4213e765d5fd14c325240d7
                                      • Instruction Fuzzy Hash: 4A01F530A40F00AFD7216F368D8642BBFE0EB00306704093FE68356AE2D6789800CF89
                                      Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Exception@8Throw
                                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                      • API String ID: 2005118841-1866435925
                                      • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                      • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                      • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                      • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                      Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 0041385A
                                      • RegSetValueExW.ADVAPI32(?,?,00000000,00000001,00000000,00000000,00475300,?,0040F85E,pth_unenc,@*|), ref: 00413888
                                      • RegCloseKey.ADVAPI32(?,?,0040F85E,pth_unenc,@*|), ref: 00413893
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateValue
                                      • String ID: pth_unenc
                                      • API String ID: 1818849710-4028850238
                                      • Opcode ID: cbeea3386a39013b062d5e7225ad240eff34055e22739d6872e46d18ef669f40
                                      • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                      • Opcode Fuzzy Hash: cbeea3386a39013b062d5e7225ad240eff34055e22739d6872e46d18ef669f40
                                      • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                      Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                        • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                        • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                      • String ID: bad locale name
                                      • API String ID: 3628047217-1405518554
                                      • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                      • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                      • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                      • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                      Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                      • ShowWindow.USER32(00000009), ref: 00416C9C
                                      • SetForegroundWindow.USER32 ref: 00416CA8
                                        • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475348), ref: 0041CE35
                                        • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                        • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                        • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                      • String ID: !D@
                                      • API String ID: 186401046-604454484
                                      • Opcode ID: a068d85ce6d20572725b561f13a14384616ca358d13cf0a9e2740917865bf9e7
                                      • Instruction ID: b1493b377ee00385912555b1a5c9642ee05cd41efde33f67b603c236d656be44
                                      • Opcode Fuzzy Hash: a068d85ce6d20572725b561f13a14384616ca358d13cf0a9e2740917865bf9e7
                                      • Instruction Fuzzy Hash: 81F03A70148340AAD720AF65ED55BBABB69EB54301F01487BFA09C20F2DB389C94869E
                                      Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteShell
                                      • String ID: /C $cmd.exe$open
                                      • API String ID: 587946157-3896048727
                                      • Opcode ID: f44f3a75cb8e05523d561960cc0be4386eb784bc6dcc6058ee8d5990d9ea8ce9
                                      • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                      • Opcode Fuzzy Hash: f44f3a75cb8e05523d561960cc0be4386eb784bc6dcc6058ee8d5990d9ea8ce9
                                      • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                      Function 0040B8A4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                      • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteDirectoryFileRemove
                                      • String ID: pth_unenc$xdF
                                      • API String ID: 3325800564-2448381268
                                      • Opcode ID: ad03ad6105e2805cf24512cd36e8b9a34d70bf8a7d384e6b6b2237e166b151ae
                                      • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                      • Opcode Fuzzy Hash: ad03ad6105e2805cf24512cd36e8b9a34d70bf8a7d384e6b6b2237e166b151ae
                                      • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                      Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • TerminateThread.KERNEL32(0040A2B8,00000000,00475300,pth_unenc,0040D0F3,@*|,00475300,?,pth_unenc), ref: 0040B8F6
                                      • UnhookWindowsHookEx.USER32(00475100), ref: 0040B902
                                      • TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: TerminateThread$HookUnhookWindows
                                      • String ID: pth_unenc
                                      • API String ID: 3123878439-4028850238
                                      • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                      • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                      • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                      • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                      Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __alldvrm$_strrchr
                                      • String ID:
                                      • API String ID: 1036877536-0
                                      • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                      • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                      • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                      • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                      Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                      • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                      • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                      • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                      Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                      • Cleared browsers logins and cookies., xrefs: 0040C130
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep
                                      • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                      • API String ID: 3472027048-1236744412
                                      • Opcode ID: 0eb67f22db26bfbf69fd8d2aa32761b673633ffd036242d8c1b92dd0b17869b7
                                      • Instruction ID: a79ddf3c6a5b8d59d799e992b07df0540e48cd861b142758bc1ef4dabba95ae9
                                      • Opcode Fuzzy Hash: 0eb67f22db26bfbf69fd8d2aa32761b673633ffd036242d8c1b92dd0b17869b7
                                      • Instruction Fuzzy Hash: F631A904648381EDD6116BF514967AB7B824E53744F0886BFB8C8273C3DABA4808C75F
                                      Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                        • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                        • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                      • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                      • Sleep.KERNEL32(00000064), ref: 0040A638
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$SleepText$ForegroundLength
                                      • String ID: [ $ ]
                                      • API String ID: 3309952895-93608704
                                      • Opcode ID: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                      • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                      • Opcode Fuzzy Hash: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                      • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                      Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: SystemTimes$Sleep__aulldiv
                                      • String ID:
                                      • API String ID: 188215759-0
                                      • Opcode ID: b0079fa80277cdab6546f5ab837447f57eff53afd9c3e38f4d74f1bcd6e8dbc3
                                      • Instruction ID: 34fec0fc5de9b46989c99fc374850f6e4511d06c61be9fc580282ef5e3b3a0c9
                                      • Opcode Fuzzy Hash: b0079fa80277cdab6546f5ab837447f57eff53afd9c3e38f4d74f1bcd6e8dbc3
                                      • Instruction Fuzzy Hash: 4A1142B35043446BC304FBB5CD85DEF77ACEBC4359F040A3EF64A82061EE29EA498695
                                      Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                      • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                      • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                      • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                      Function 00443B52 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                      • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                      • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                      • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                      Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                      • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad$ErrorLast
                                      • String ID:
                                      • API String ID: 3177248105-0
                                      • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                      • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                      • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                      • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                      Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C568
                                      • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleReadSize
                                      • String ID:
                                      • API String ID: 3919263394-0
                                      • Opcode ID: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                      • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                      • Opcode Fuzzy Hash: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                      • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                      Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                        • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                      • _UnwindNestedFrames.LIBCMT ref: 00439911
                                      • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                      • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                      • String ID:
                                      • API String ID: 2633735394-0
                                      • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                      • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                      • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                      • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                      Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                      • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                      • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                      • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: MetricsSystem
                                      • String ID:
                                      • API String ID: 4116985748-0
                                      • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                      • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                      • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                      • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                      Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                      • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                      • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                        • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                      • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                      • String ID:
                                      • API String ID: 1761009282-0
                                      • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                      • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                      • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                      • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                      Function 00442CAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                      Download Yara Rule
                                      APIs
                                      • __startOneArgErrorHandling.LIBCMT ref: 00442D3D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorHandling__start
                                      • String ID: pow
                                      • API String ID: 3213639722-2276729525
                                      • Opcode ID: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                      • Instruction ID: 2abd0c7c8e13d4a8cd2c8141c546921d868ac315c0d238e81b652aa6ec7fde8b
                                      • Opcode Fuzzy Hash: ba08a0cb9aac2d09af1d9c353536d0054585ad8ee24c5cded07915036f7ff901
                                      • Instruction Fuzzy Hash: 92515AE1E0460296FB167714CE4137B6794AB50741F70497BF0D6823EAEA7C8C859B4F
                                      Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                      Download Yara Rule
                                      APIs
                                      • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418AF9
                                        • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                      • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                        • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                        • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                      • String ID: image/jpeg
                                      • API String ID: 1291196975-3785015651
                                      • Opcode ID: f7762c1077cd22b9d0966c79a8c7972fb49086d0d121f5f9ad0777a9e048a50c
                                      • Instruction ID: b1b0a2c635f45e8130f4767810c6fbb161559e0826da6e7acb487c9aae22ef17
                                      • Opcode Fuzzy Hash: f7762c1077cd22b9d0966c79a8c7972fb49086d0d121f5f9ad0777a9e048a50c
                                      • Instruction Fuzzy Hash: 6D316F72504310AFC701EF65C884D6FB7E9EF8A304F00496EF98597251DB7999048B66
                                      Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetACP.KERNEL32(?,20001004,?,00000002), ref: 00451C92
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: ACP$OCP
                                      • API String ID: 0-711371036
                                      • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                      • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                      • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                      • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                      Function 0041631F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 00416330
                                        • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                        • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                        • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                        • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _wcslen$CloseCreateValue
                                      • String ID: !D@$okmode
                                      • API String ID: 3411444782-1942679189
                                      • Opcode ID: ffd0034025ce8a6f256035d87f0428f79cac076b847b20a61f7d23f5852e07e7
                                      • Instruction ID: 3691d04bdc76b081f03c0e50e7d604d291fd2bc6213442c77ae478975c73e837
                                      • Opcode Fuzzy Hash: ffd0034025ce8a6f256035d87f0428f79cac076b847b20a61f7d23f5852e07e7
                                      • Instruction Fuzzy Hash: E211A871B042011BDA187B72D822BBD2296DB84349F80483FF50AAF2E2DFBD4C51535D
                                      Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BE5
                                        • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                      • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418C0A
                                        • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                        • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                      • String ID: image/png
                                      • API String ID: 1291196975-2966254431
                                      • Opcode ID: 5ab440bc048de2cb56d31f74581c152c1f03e682227d906222c769bb8292334a
                                      • Instruction ID: f628a6b37c0337dbee8ef7f798de7cbb8cc54a1da061f00231e4b0513ad08027
                                      • Opcode Fuzzy Hash: 5ab440bc048de2cb56d31f74581c152c1f03e682227d906222c769bb8292334a
                                      • Instruction Fuzzy Hash: 4221C375204211AFC700AB61CC89DBFBBACEFCA314F10452EF54693251DB389945CBA6
                                      Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?,004755A8,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                        • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                      • GetLocalTime.KERNEL32(?,004755A8,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                      Strings
                                      • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime
                                      • String ID: KeepAlive | Enabled | Timeout:
                                      • API String ID: 481472006-1507639952
                                      • Opcode ID: b04484f53d8468b4d83ba2a2ead289fcf1640922145b27791008477ae1a99032
                                      • Instruction ID: b700b38ef9f928670de2390b904a97a1cb71e472754ad5b4355c5e73bb52b66b
                                      • Opcode Fuzzy Hash: b04484f53d8468b4d83ba2a2ead289fcf1640922145b27791008477ae1a99032
                                      • Instruction Fuzzy Hash: E62104719007806BD710B732A80A76F7B64E755308F44057EE8491B2A2EB7D5988CBDE
                                      Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32 ref: 0041667B
                                      • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DownloadFileSleep
                                      • String ID: !D@
                                      • API String ID: 1931167962-604454484
                                      • Opcode ID: 1ca4657709125a85b171c3d25381609667c6d049654dacff53733f257152a229
                                      • Instruction ID: 943aba663a6785b3e55a0e29e9dd0f60b42d3502aaa7a5a348319576c1e2766f
                                      • Opcode Fuzzy Hash: 1ca4657709125a85b171c3d25381609667c6d049654dacff53733f257152a229
                                      • Instruction Fuzzy Hash: 9D1142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                      Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime
                                      • String ID: | $%02i:%02i:%02i:%03i
                                      • API String ID: 481472006-2430845779
                                      • Opcode ID: c84e5cc4d669c1bab3d4613523f9321b462ddfd430bd9aba11072f60c0a42049
                                      • Instruction ID: dc1ef91952a31d7701eba46fb19b130c3a81cf04c31882e55cbcd77cf5b9c3d8
                                      • Opcode Fuzzy Hash: c84e5cc4d669c1bab3d4613523f9321b462ddfd430bd9aba11072f60c0a42049
                                      • Instruction Fuzzy Hash: 72118E714082455AC304EB62D8519BFB3E9AB44308F50093FF88AA21E1EF3CDA45C69E
                                      Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: alarm.wav$xYG
                                      • API String ID: 1174141254-3120134784
                                      • Opcode ID: 295bfd34ad248fa5ae2dae4f6734345cab6275ac0e47a6b15ddca192400cb660
                                      • Instruction ID: fba4c3df788ebc26406fa6248c5b94d62a9d66ba9cb3dc57f05af0bb44f50ff0
                                      • Opcode Fuzzy Hash: 295bfd34ad248fa5ae2dae4f6734345cab6275ac0e47a6b15ddca192400cb660
                                      • Instruction Fuzzy Hash: 78019E7068831166CA04F77688166EE37559B80318F00847FF64A566E2EFBC9A9586CF
                                      Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                        • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                        • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                      • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                      • UnhookWindowsHookEx.USER32 ref: 0040B102
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                      • String ID: Online Keylogger Stopped
                                      • API String ID: 1623830855-1496645233
                                      • Opcode ID: e9861db579dd6a0832a13b67f6620eafbc60b9ba0201637d04cad77b23535cc3
                                      • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                      • Opcode Fuzzy Hash: e9861db579dd6a0832a13b67f6620eafbc60b9ba0201637d04cad77b23535cc3
                                      • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                      Function 0044F0F7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                        • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                        • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                        • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                      • _abort.LIBCMT ref: 0044F129
                                      • _free.LIBCMT ref: 0044F15D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast_abort_free
                                      • String ID: 8N|
                                      • API String ID: 289325740-3799003814
                                      • Opcode ID: 870bd59091670ef6f85687353f23d3fa7adaacf8e57ceb1d53a868e14bc6891b
                                      • Instruction ID: a8e40e627a719db10bf70d85eeadc0c4c2fb790701f4ec7f842983f146219858
                                      • Opcode Fuzzy Hash: 870bd59091670ef6f85687353f23d3fa7adaacf8e57ceb1d53a868e14bc6891b
                                      • Instruction Fuzzy Hash: 0501A1B1D01A21DBEB31AFA9D84265EB3A0BF04720B19012FE51463391CB386D46CBCE
                                      Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                      • waveInPrepareHeader.WINMM(007CDD68,00000020,?,?,00476B60,00474EF0,?,00000000,00401A15), ref: 00401849
                                      • waveInAddBuffer.WINMM(007CDD68,00000020,?,00000000,00401A15), ref: 0040185F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$BufferHeaderPrepare
                                      • String ID: hMG
                                      • API String ID: 2315374483-350922481
                                      • Opcode ID: 2a7237b1c750756b6a557ff6dbb8ae44e7524d5ce161b2fadacf42baadc53798
                                      • Instruction ID: 961ac9ec07701b1a047984959549e732b5ed52ade8bfae490fcb5a94ac50a39c
                                      • Opcode Fuzzy Hash: 2a7237b1c750756b6a557ff6dbb8ae44e7524d5ce161b2fadacf42baadc53798
                                      • Instruction Fuzzy Hash: 46016D71701301AFC7609F75EC449697BA9FF89355701413AF409C77A2EB759C50CB98
                                      Function 0044382C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID: $G
                                      • API String ID: 269201875-4251033865
                                      • Opcode ID: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                      • Instruction ID: 4a6f060c21597e0392f33703011e6e0157da39883ddad7ec559e06d861eb6f1f
                                      • Opcode Fuzzy Hash: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                      • Instruction Fuzzy Hash: 64E0E532A0152014F6713A3B6D1665B45C68BC1B3AF22423FF425962C2DFAC8946516E
                                      Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocaleValid
                                      • String ID: IsValidLocaleName$kKD
                                      • API String ID: 1901932003-3269126172
                                      • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                      • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                      • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                      • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                      Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                      • API String ID: 1174141254-4188645398
                                      • Opcode ID: 4859c672d659d0a1f097c4b87d24339a57335e4ea3a93cd47a728b5256189360
                                      • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                      • Opcode Fuzzy Hash: 4859c672d659d0a1f097c4b87d24339a57335e4ea3a93cd47a728b5256189360
                                      • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                      Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                      • API String ID: 1174141254-2800177040
                                      • Opcode ID: f0c0cc8675646142fd89bdb58ed4d14c68212bf39b1608070b4045de8f02391f
                                      • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                      • Opcode Fuzzy Hash: f0c0cc8675646142fd89bdb58ed4d14c68212bf39b1608070b4045de8f02391f
                                      • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                      Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: AppData$\Opera Software\Opera Stable\
                                      • API String ID: 1174141254-1629609700
                                      • Opcode ID: 966ad1c0b9db51bdb62c7854b74a1cb959393fa177e577b0bdfcd7534c47b356
                                      • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                      • Opcode Fuzzy Hash: 966ad1c0b9db51bdb62c7854b74a1cb959393fa177e577b0bdfcd7534c47b356
                                      • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                      Function 00443885 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID: $G
                                      • API String ID: 269201875-4251033865
                                      • Opcode ID: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                      • Instruction ID: 5d396c1abc39b18bdc3e623667384c8b5cce6391ee106473ff554fc58991571d
                                      • Opcode Fuzzy Hash: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                      • Instruction Fuzzy Hash: 7CE0E532A0652041F675763B2D05A5B47C55FC2B3AF22033BF028861C1DFEC494A606E
                                      Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyState.USER32(00000011), ref: 0040B686
                                        • Part of subcall function 0040A41B: GetForegroundWindow.USER32(?,?,00475100), ref: 0040A451
                                        • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                        • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                        • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                        • Part of subcall function 0040A41B: GetKeyboardState.USER32(?,?,00475100), ref: 0040A479
                                        • Part of subcall function 0040A41B: ToUnicodeEx.USER32(00475154,00000000,?,?,00000010,00000000,00000000), ref: 0040A49C
                                        • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                        • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                      • String ID: [AltL]$[AltR]
                                      • API String ID: 2738857842-2658077756
                                      • Opcode ID: 6a80a69b360d983d43fc671acba1cdd0286d48cffeca5b30a3a99feab9c297c2
                                      • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                      • Opcode Fuzzy Hash: 6a80a69b360d983d43fc671acba1cdd0286d48cffeca5b30a3a99feab9c297c2
                                      • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                      Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteShell
                                      • String ID: !D@$open
                                      • API String ID: 587946157-1586967515
                                      • Opcode ID: eb4567e96d42521689c96e83ef1aa2a6a7df05ac31277aa5078135f6cb8d6bca
                                      • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                      • Opcode Fuzzy Hash: eb4567e96d42521689c96e83ef1aa2a6a7df05ac31277aa5078135f6cb8d6bca
                                      • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                      Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyState.USER32(00000012), ref: 0040B6E0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: State
                                      • String ID: [CtrlL]$[CtrlR]
                                      • API String ID: 1649606143-2446555240
                                      • Opcode ID: 68a21427a53fdb80c3da8a233085b44fd58d033cfb752835714686d39fb0ec3c
                                      • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                      • Opcode Fuzzy Hash: 68a21427a53fdb80c3da8a233085b44fd58d033cfb752835714686d39fb0ec3c
                                      • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                      Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                      • __Init_thread_footer.LIBCMT ref: 00410F64
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Init_thread_footer__onexit
                                      • String ID: <kG$@kG
                                      • API String ID: 1881088180-1261746286
                                      • Opcode ID: 3005333bcecaffa700c7528d759515cdbab9def11ce6217a52740adfeea124d5
                                      • Instruction ID: b3c290aa7aaf28965b2d5d57398085964b0ab7c4475a0d5935719b6e6c356165
                                      • Opcode Fuzzy Hash: 3005333bcecaffa700c7528d759515cdbab9def11ce6217a52740adfeea124d5
                                      • Instruction Fuzzy Hash: 4BE0D8315049208AC510B75EE442AC53345DB0A324B21907BF414D72D2CBAE78C24E5D
                                      Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D17F,00000000,@*|,00475300,?,pth_unenc), ref: 00413A6C
                                      • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A80
                                      Strings
                                      • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteOpenValue
                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                      • API String ID: 2654517830-1051519024
                                      • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                      • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                      • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                      • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                      Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                      • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ObjectProcessSingleTerminateWait
                                      • String ID: pth_unenc
                                      • API String ID: 1872346434-4028850238
                                      • Opcode ID: d98377acd33bdda2349b7be151d0e491c89c80a6de05baeaae50e9a3ec635156
                                      • Instruction ID: 4cc810616d40180dbd1e9271652f71629269b6e9fac0605c61d014a2f2010889
                                      • Opcode Fuzzy Hash: d98377acd33bdda2349b7be151d0e491c89c80a6de05baeaae50e9a3ec635156
                                      • Instruction Fuzzy Hash: B0D0C934189712EBD7220B70AE49B443A6CA705322F141360F429413F1C6A98894AA18
                                      Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401BD9), ref: 00440D77
                                      • GetLastError.KERNEL32 ref: 00440D85
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$ErrorLast
                                      • String ID:
                                      • API String ID: 1717984340-0
                                      • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                      • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                      • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                      • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                      Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                      • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                      • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                      • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.4358729070.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.4358714098.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358765829.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358789659.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.4358824758.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_17323410671691fb610332a2a23e84df9d573b6d7d338d6835a49e8e0241717de81805.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastRead
                                      • String ID:
                                      • API String ID: 4100373531-0
                                      • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                      • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                      • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                      • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99