Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe

Overview

General Information

Sample name:1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe
Analysis ID:1561338
MD5:c2b0f048825a3d1d08df209c48b7531c
SHA1:3200063423feec9bee258f5bd871e778f55983e9
SHA256:9bb9da2d4b47cbb8bd8980f2992a059e0cba6cc0f613ca0dd94fff4fe80a81f7
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Uses dynamic DNS services
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["escoclar.duckdns.org:2404:1"], "Assigned name": "rempastnov", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "escoclar-5B94K9", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "fox.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "escoclar"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aaf8:$a1: Remcos restarted by watchdog!
        • 0x6b070:$a3: %02i:%02i:%02i:%03i
        1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64e04:$str_b2: Executing file:
        • 0x65c3c:$str_b3: GetDirectListeningPort
        • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65780:$str_b7: \update.vbs
        • 0x64e2c:$str_b9: Downloaded file:
        • 0x64e18:$str_b10: Downloading file:
        • 0x64ebc:$str_b12: Failed to upload file:
        • 0x65c04:$str_b13: StartForward
        • 0x65c24:$str_b14: StopForward
        • 0x656d8:$str_b15: fso.DeleteFile "
        • 0x6566c:$str_b16: On Error Resume Next
        • 0x65708:$str_b17: fso.DeleteFolder "
        • 0x64eac:$str_b18: Uploaded file:
        • 0x64e6c:$str_b19: Unable to delete:
        • 0x656a0:$str_b20: while fso.FileExists("
        • 0x65349:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.2323818165.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000000.00000000.2323818165.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000000.2323818165.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              00000000.00000000.2323818165.0000000000457000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x146f8:$a1: Remcos restarted by watchdog!
              • 0x14c70:$a3: %02i:%02i:%02i:%03i
              00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                Click to see the 8 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  0.0.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    0.0.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      0.0.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                      • 0x6aaf8:$a1: Remcos restarted by watchdog!
                      • 0x6b070:$a3: %02i:%02i:%02i:%03i
                      0.2.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                        Click to see the 7 entries

                        Sigma Signatures

                        No Sigma rule has matched

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-11-23T06:53:34.237681+010020365941Malware Command and Control Activity Detected192.168.2.649716154.216.17.2042404TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-11-23T06:53:37.359161+010028033043Unknown Traffic192.168.2.649717178.237.33.5080TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeAvira: detected
                        Antivirus detection for URL or domain
                        Source: escoclar.duckdns.orgAvira URL Cloud: Label: malware
                        Found malware configuration
                        Source: 00000000.00000002.4775165264.000000000068E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["escoclar.duckdns.org:2404:1"], "Assigned name": "rempastnov", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "escoclar-5B94K9", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "fox.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "escoclar"}
                        Multi AV Scanner detection for submitted file
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeReversingLabs: Detection: 73%
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeVirustotal: Detection: 69%Perma Link
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2323818165.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4775165264.000000000068E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe PID: 6944, type: MEMORYSTR
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for sample
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_0043293A
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_c5079538-9

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2323818165.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe PID: 6944, type: MEMORYSTR

                        Privilege Escalation

                        barindex
                        Contains functionality to bypass UAC (CMSTPLUA)
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00406764 _wcslen,CoGetObject,0_2_00406764
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0044D5E9 FindFirstFileExA,0_2_0044D5E9
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49716 -> 154.216.17.204:2404
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: escoclar.duckdns.org
                        Uses dynamic DNS services
                        Source: unknownDNS query: name: escoclar.duckdns.org
                        Source: global trafficTCP traffic: 192.168.2.6:49716 -> 154.216.17.204:2404
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                        Source: Joe Sandbox ViewASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
                        Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49717 -> 178.237.33.50:80
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_004260F7 recv,0_2_004260F7
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: global trafficDNS traffic detected: DNS query: escoclar.duckdns.org
                        Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000003.2379459315.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000003.2379538270.0000000000703000.00000004.00000020.00020000.00000000.sdmp, 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.000000000068E000.00000004.00000020.00020000.00000000.sdmp, 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000003.2379459315.00000000006D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000003.2379459315.00000000006D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp-
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.000000000068E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000003.2379459315.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.00000000006F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpal
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000003.2379459315.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.00000000006F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000003.2379459315.00000000006D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpll
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000003.2379459315.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.00000000006F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpt

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to register a low level keyboard hook
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000000_2_004099E4
                        Installs a global keyboard hook
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_00409B10
                        Source: Yara matchFile source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2323818165.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe PID: 6944, type: MEMORYSTR

                        E-Banking Fraud

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2323818165.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4775165264.000000000068E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe PID: 6944, type: MEMORYSTR

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Contains functionalty to change the wallpaper
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0041BB77 SystemParametersInfoW,0_2_0041BB77

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.0.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.2.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.0.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.0.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.2.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.2.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 00000000.00000000.2323818165.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe PID: 6944, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeProcess Stats: CPU usage > 49%
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041ACC1
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,0_2_0041ACED
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004158B9
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0041D0710_2_0041D071
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_004520D20_2_004520D2
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0043D0980_2_0043D098
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_004371500_2_00437150
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_004361AA0_2_004361AA
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_004262540_2_00426254
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_004313770_2_00431377
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0041E5DF0_2_0041E5DF
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0044C7390_2_0044C739
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_004267CB0_2_004267CB
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0043C9DD0_2_0043C9DD
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00432A490_2_00432A49
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0043CC0C0_2_0043CC0C
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00434D220_2_00434D22
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00426E730_2_00426E73
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00440E200_2_00440E20
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0043CE3B0_2_0043CE3B
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00412F450_2_00412F45
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00452F000_2_00452F00
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00426FAD0_2_00426FAD
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: String function: 00401F66 appears 50 times
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: String function: 004020E7 appears 40 times
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: String function: 004338A5 appears 42 times
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: String function: 00433FB0 appears 55 times
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.0.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.2.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.0.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.0.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.2.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.2.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 00000000.00000000.2323818165.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe PID: 6944, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00416AB7
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040E219
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041A63F
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].jsonJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\escoclar-5B94K9
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: Software\0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: escoclar-5B94K90_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: escoclar-5B94K90_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: 0DG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: BG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: BG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: BG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: @CG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: BG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: @CG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: BG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: licence0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: `=G0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: dCG0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: Administrator0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: User0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: del0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: del0_2_0040D767
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCommand line argument: del0_2_0040D767
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeReversingLabs: Detection: 73%
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeVirustotal: Detection: 69%
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_004567E0 push eax; ret 0_2_004567FE
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00455EAF push ecx; ret 0_2_00455EC2
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00433FF6 push ecx; ret 0_2_00434009
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00406128 ShellExecuteW,URLDownloadToFileW,0_2_00406128
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Delayed program exit found
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0040E54F Sleep,ExitProcess,0_2_0040E54F
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_004198C2
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeWindow / User API: threadDelayed 9394Jump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeWindow / User API: foregroundWindowGot 1768Jump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe TID: 5248Thread sleep count: 238 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe TID: 5248Thread sleep time: -119000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe TID: 2960Thread sleep count: 90 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe TID: 2960Thread sleep time: -270000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe TID: 2960Thread sleep count: 9394 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe TID: 2960Thread sleep time: -28182000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0044D5E9 FindFirstFileExA,0_2_0044D5E9
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.000000000070B000.00000004.00000020.00020000.00000000.sdmp, 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000003.2379459315.000000000070B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWgz
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.000000000068E000.00000004.00000020.00020000.00000000.sdmp, 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.000000000070B000.00000004.00000020.00020000.00000000.sdmp, 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000003.2379459315.000000000070B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-47604
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00442554 mov eax, dword ptr fs:[00000030h]0_2_00442554
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0044E92E GetProcessHeap,0_2_0044E92E
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434168
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00433B44
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00433CD7 SetUnhandledExceptionFilter,0_2_00433CD7
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00410F36
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00418754 mouse_event,0_2_00418754
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.00000000006F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerGl
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.00000000006F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerG
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.00000000006F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerneer
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.0000000000704000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.00000000006F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.00000000006F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerI
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.000000000068E000.00000004.00000020.00020000.00000000.sdmp, 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.00000000006D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2024/11/23 00:53:30 Program Manager]
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.00000000006D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                        Source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.000000000068E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerbem;C:\
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00433E0A cpuid 0_2_00433E0A
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040E679
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_004470AE
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004510BA
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004511E3
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004512EA
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004513B7
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: GetLocaleInfoW,0_2_00447597
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00450A7F
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450CF7
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450D42
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450DDD
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00450E6A
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_00404915 GetLocalTime,CreateEventA,CreateThread,0_2_00404915
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0041A7A2 GetComputerNameExW,GetUserNameW,0_2_0041A7A2
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: 0_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0044800F
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2323818165.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4775165264.000000000068E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe PID: 6944, type: MEMORYSTR
                        Contains functionality to steal Chrome passwords or cookies
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040B21B
                        Contains functionality to steal Firefox passwords or cookies
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040B335
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: \key3.db0_2_0040B335

                        Remote Access Functionality

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2323818165.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4775165264.000000000068E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe PID: 6944, type: MEMORYSTR
                        Source: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exeCode function: cmd.exe0_2_00405042

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                        Native API                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		1
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		12
                        Ingress Tool Transfer                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts12
                        Command and Scripting Interpreter                        		1
                        Windows Service                        		1
                        Bypass User Account Control                        		2
                        Obfuscated Files or Information                        		211
                        Input Capture                        		1
                        Account Discovery                        		Remote Desktop Protocol211
                        Input Capture                        		2
                        Encrypted Channel                        		Exfiltration Over Bluetooth1
                        Defacement
                        Email AddressesDNS ServerDomain Accounts2
                        Service Execution                        		Logon Script (Windows)1
                        Access Token Manipulation                        		1
                        DLL Side-Loading                        		2
                        Credentials In Files                        		1
                        System Service Discovery                        		SMB/Windows Admin Shares3
                        Clipboard Data                        		1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                        Windows Service                        		1
                        Bypass User Account Control                        		NTDS2
                        File and Directory Discovery                        		Distributed Component Object ModelInput Capture2
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                        Process Injection                        		1
                        Masquerading                        		LSA Secrets23
                        System Information Discovery                        		SSHKeylogging22
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Virtualization/Sandbox Evasion                        		Cached Domain Credentials21
                        Security Software Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Access Token Manipulation                        		DCSync1
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                        Process Injection                        		Proc Filesystem2
                        Process Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                        Application Window Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                        System Owner/User Discovery                        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe74%ReversingLabsWin32.Backdoor.Remcos
                        1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe70%VirustotalBrowse
                        1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                        1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        escoclar.duckdns.org100%Avira URL Cloudmalware

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        geoplugin.net
                        		178.237.33.50
                        		truefalse
                          		high
                          escoclar.duckdns.org
                          		154.216.17.204
                          		truetrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://geoplugin.net/json.gpfalse
                              		high
                              escoclar.duckdns.orgtrue
                              • Avira URL Cloud: malware
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://geoplugin.net/json.gpt1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000003.2379459315.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.00000000006F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://geoplugin.net/json.gpal1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000003.2379459315.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.00000000006F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://geoplugin.net/json.gp/C1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exefalse
                                    		high
                                    http://geoplugin.net/json.gpl1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000003.2379459315.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.00000000006F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://geoplugin.net/json.gpSystem321732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.000000000068E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://geoplugin.net/json.gpll1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000003.2379459315.00000000006D1000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://geoplugin.net/json.gp-1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000002.4775165264.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, 00000000.00000003.2379459315.00000000006D1000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            154.216.17.204
                                            		escoclar.duckdns.orgSeychelles
                                            		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue
                                            178.237.33.50
                                            		geoplugin.netNetherlands
                                            		8455ATOM86-ASATOM86NLfalse

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1561338
                                            Start date and time:2024-11-23 06:52:14 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 7m 5s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:5
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe
                                            Detection:MAL
                                            Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 38
                                            • Number of non-executed functions: 203
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe
                                            • Override analysis time to 240s for sample files taking high CPU consumption

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            00:54:02API Interceptor6699284x Sleep call for process: 1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            154.216.17.2041732341065aa3050236bf0a757080986a42d53699fd38d78c31f65f12b4934c9236ce70a12688.dat-decoded.exeGet hashmaliciousXenoRATBrowse
                                              178.237.33.5017323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              018292540-LetterReguranPPI-20230814215304.PDF.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              800399031-18.11.2024.pdf.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              Purchase Inquiry_002.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              APPENDIX FORM_N#U00b045013-20241120.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                              • geoplugin.net/json.gp
                                              wE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                                              • geoplugin.net/json.gp
                                              ORDER AND SPECIFICATIONS.scr.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              1732143786cec792bea7f8ce7f818c031173ce52fabd19dde842f74b07fc234dc9f3fa1dcf839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                              • geoplugin.net/json.gp

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              geoplugin.net17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              018292540-LetterReguranPPI-20230814215304.PDF.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              800399031-18.11.2024.pdf.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              Purchase Inquiry_002.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              APPENDIX FORM_N#U00b045013-20241120.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                              • 178.237.33.50
                                              wE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                                              • 178.237.33.50
                                              ORDER AND SPECIFICATIONS.scr.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              1732143786cec792bea7f8ce7f818c031173ce52fabd19dde842f74b07fc234dc9f3fa1dcf839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                              • 178.237.33.50

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              SKHT-ASShenzhenKatherineHengTechnologyInformationCo1732341065aa3050236bf0a757080986a42d53699fd38d78c31f65f12b4934c9236ce70a12688.dat-decoded.exeGet hashmaliciousXenoRATBrowse
                                              • 154.216.17.204
                                              test1.elfGet hashmaliciousMiraiBrowse
                                              • 154.216.16.109
                                              https://clearview-ps.inwise.net/Page_11-21-2024_1Get hashmaliciousHTMLPhisherBrowse
                                              • 154.216.17.193
                                              m68k.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                              • 154.216.19.139
                                              018292540-LetterReguranPPI-20230814215304.PDF.exeGet hashmaliciousRemcosBrowse
                                              • 154.216.20.185
                                              800399031-18.11.2024.pdf.exeGet hashmaliciousRemcosBrowse
                                              • 154.216.20.185
                                              vkjqpc.elfGet hashmaliciousMiraiBrowse
                                              • 154.216.16.109
                                              vsbeps.elfGet hashmaliciousMiraiBrowse
                                              • 154.216.16.109
                                              wnbw86.elfGet hashmaliciousMiraiBrowse
                                              • 154.216.16.109
                                              qkehusl.elfGet hashmaliciousMiraiBrowse
                                              • 154.216.16.109
                                              ATOM86-ASATOM86NL17323144242c7236b99d23fa10a9292bd7fb1c1fb47a26f3a8dc1daae9ecf25bbc7e35eb77810.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              018292540-LetterReguranPPI-20230814215304.PDF.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              800399031-18.11.2024.pdf.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              Purchase Inquiry_002.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              APPENDIX FORM_N#U00b045013-20241120.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                              • 178.237.33.50
                                              wE1inOhJA5.msiGet hashmaliciousRemcos, RHADAMANTHYSBrowse
                                              • 178.237.33.50
                                              ORDER AND SPECIFICATIONS.scr.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              1732147507ac10953a908ae794c5ee180add9124a78c69705135688e502bb56ce4453da749198.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              1732143786cec792bea7f8ce7f818c031173ce52fabd19dde842f74b07fc234dc9f3fa1dcf839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              seethebestthignswhichgivingbestopportunities.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                              • 178.237.33.50

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\ProgramData\escoclar\fox.dat

                                              Download File
                                              Process:C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):184
                                              Entropy (8bit):6.907344140919772
                                              Encrypted:false
                                              SSDEEP:3:QjuGz0nfjzkOPqXToUw49ogx3BFUy6u65dfhavKicmJGjFQtpcICgm+F:f7nfjIgq0cfxxFUy6u65dpaVcIjm+F
                                              MD5:553BA1F6B365102EC663AA833723985E
                                              SHA1:F0162431676AD5B9F243BC89E4A56FC1980893F7
                                              SHA-256:6256F02D27D209E215B5F9D04C4797B5A1CDF3C56991E64E86AB2B94A69AFDA9
                                              SHA-512:CC1DBE40E760905B9020D4DD955C59B850504E0B97C7A24A4C0EF0550E42D3F23920691F2F1F36656ED672A6219212A56B6C9E28E0673CAD27D0E6749AF5EE4E
                                              Malicious:false
                                              Reputation:low
                                              Preview:..!...<.^g.J.h.g.....{..:T@YT...fq.O.).S(..#"..t....r.U...KWJ.\...b..&f.)....qD.^8. ...F<..Rw1..I.U1r...0......G.\.V.$Z...S{......m..{........HP....].XOj...u.L...../ gE.]-./.n..52

                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

                                              Download File
                                              Process:C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):962
                                              Entropy (8bit):5.01442467270497
                                              Encrypted:false
                                              SSDEEP:12:tkluQ+nd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluQydVauKyGX85jvXhNlT3/7AcV9Wro
                                              MD5:4A8FAD17775993221C3AD2D68BB4B306
                                              SHA1:DB42C3975A64E7B4CE2A93FF5AF91F2DF73C82BD
                                              SHA-256:893F1B254D4EC2484868976F1B62D5A064909EA08E46F95193DBE79DB435E604
                                              SHA-512:63252CFDC2CC7A32F86D9CB5D27E1695A8C138EBFBF476741C017EB349F20BDC72FF5856E0044DB189BAABDB1C3819C29FFC33A054810BD0354726300063D52C
                                              Malicious:false
                                              Reputation:low
                                              Preview:{. "geoplugin_request":"8.46.123.75",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):6.586640480445764
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe
                                              File size:493'056 bytes
                                              MD5:c2b0f048825a3d1d08df209c48b7531c
                                              SHA1:3200063423feec9bee258f5bd871e778f55983e9
                                              SHA256:9bb9da2d4b47cbb8bd8980f2992a059e0cba6cc0f613ca0dd94fff4fe80a81f7
                                              SHA512:cb713521fe950150bf2aaa95cd5c945d5c3d187ef7540394af09cc5fc88896512f7a1906a6e17f864d1cbdd66d12191fe21a1bf899ab1886c1d3d6225f1e3161
                                              SSDEEP:12288:ruD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDSx+DY:u09AfNIEYsunZvZ19Zes
                                              TLSH:7DA4BF01B6D2C072D57625300D26E775DEBDBD212835897BB3DA1D67FE30180E63AAB2
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H.

                                              File Icon

                                              Icon Hash:95694d05214c1b33

                                              Static PE Info

                                              General

                                              Entrypoint:0x433b3a
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                              Time Stamp:0x6724916B [Fri Nov 1 08:29:31 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:5
                                              OS Version Minor:1
                                              File Version Major:5
                                              File Version Minor:1
                                              Subsystem Version Major:5
                                              Subsystem Version Minor:1
                                              Import Hash:e77512f955eaf60ccff45e02d69234de

                                              Entrypoint Preview

                                              Instruction
                                              call 00007FCF58B33773h
                                              jmp 00007FCF58B330CFh
                                              push ebp
                                              mov ebp, esp
                                              sub esp, 00000324h
                                              push ebx
                                              push 00000017h
                                              call 00007FCF58B555A9h
                                              test eax, eax
                                              je 00007FCF58B33257h
                                              mov ecx, dword ptr [ebp+08h]
                                              int 29h
                                              push 00000003h
                                              call 00007FCF58B33414h
                                              mov dword ptr [esp], 000002CCh
                                              lea eax, dword ptr [ebp-00000324h]
                                              push 00000000h
                                              push eax
                                              call 00007FCF58B3572Bh
                                              add esp, 0Ch
                                              mov dword ptr [ebp-00000274h], eax
                                              mov dword ptr [ebp-00000278h], ecx
                                              mov dword ptr [ebp-0000027Ch], edx
                                              mov dword ptr [ebp-00000280h], ebx
                                              mov dword ptr [ebp-00000284h], esi
                                              mov dword ptr [ebp-00000288h], edi
                                              mov word ptr [ebp-0000025Ch], ss
                                              mov word ptr [ebp-00000268h], cs
                                              mov word ptr [ebp-0000028Ch], ds
                                              mov word ptr [ebp-00000290h], es
                                              mov word ptr [ebp-00000294h], fs
                                              mov word ptr [ebp-00000298h], gs
                                              pushfd
                                              pop dword ptr [ebp-00000264h]
                                              mov eax, dword ptr [ebp+04h]
                                              mov dword ptr [ebp-0000026Ch], eax
                                              lea eax, dword ptr [ebp+04h]
                                              mov dword ptr [ebp-00000260h], eax
                                              mov dword ptr [ebp-00000324h], 00010001h
                                              mov eax, dword ptr [eax-04h]
                                              push 00000050h
                                              mov dword ptr [ebp-00000270h], eax
                                              lea eax, dword ptr [ebp-58h]
                                              push 00000000h
                                              push eax
                                              call 00007FCF58B356A1h

                                              Rich Headers

                                              Programming Language:
                                              • [C++] VS2008 SP1 build 30729
                                              • [IMP] VS2008 SP1 build 30729

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x6e0200x104.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x4b58.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x7b0000x3b80.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x6c5100x38.rdata
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x6c5e80x18.rdata
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6c5480x40.rdata
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x570000x4f4.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x55f1d0x5600030cda225e02a0d4dab478a6c7c094860False0.5738610555959303data6.62127843313247IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x570000x18b000x18c009800e1a5325bb58aa054e318c8bb055aFalse0.49812578914141414OpenPGP Secret Key Version 65.758930104385571IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0x700000x5d6c0xe0006414e748130e7e668ba2ba172d63448False0.22684151785714285data3.093339598098017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x760000x4b580x4c003ee717256f2214f7c245f8a4cbf31a30False0.28448807565789475data3.9901624165290777IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x7b0000x3b800x3c003a880743591ae3410d0dc26d7322ddd0False0.7569661458333333data6.695050823503309IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0x7618c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                              RT_ICON0x765f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                              RT_ICON0x76f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                              RT_ICON0x780240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                              RT_RCDATA0x7a5cc0x54bdata1.0081180811808117
                                              RT_GROUP_ICON0x7ab180x3edataEnglishUnited States0.8064516129032258

                                              Imports

                                              DLLImport
                                              KERNEL32.dllExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, SetConsoleOutputCP, FormatMessageA, FindFirstFileA, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, HeapReAlloc, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, GetModuleHandleExW, MoveFileExW, LoadLibraryExW, RaiseException, RtlUnwind, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, MultiByteToWideChar, DecodePointer, EncodePointer, TlsFree, TlsSetValue, GetFileSize, TerminateThread, GetLastError, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, CreateDirectoryW, GetLogicalDriveStringsA, DeleteFileW, FindNextFileA, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, GetProcAddress, CreateMutexA, GetCurrentProcess, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, FindNextVolumeW, TlsGetValue, TlsAlloc, SwitchToThread, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, InitializeCriticalSectionAndSpinCount, SetEndOfFile
                                              USER32.dllDefWindowProcA, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CreateWindowExA, SendInput, EnumDisplaySettingsW, mouse_event, MapVirtualKeyA, TrackPopupMenu, CreatePopupMenu, AppendMenuA, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetIconInfo, GetSystemMetrics, CloseWindow, DrawIcon
                                              GDI32.dllBitBlt, CreateCompatibleBitmap, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA, SelectObject
                                              ADVAPI32.dllLookupPrivilegeValueA, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, RegDeleteKeyA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW
                                              SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                              ole32.dllCoInitializeEx, CoGetObject, CoUninitialize
                                              SHLWAPI.dllStrToIntA, PathFileExistsW, PathFileExistsA
                                              WINMM.dllmciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInStart, waveInUnprepareHeader, waveInOpen, waveInAddBuffer, waveInPrepareHeader, PlaySoundW
                                              WS2_32.dllsend, WSAStartup, socket, connect, WSAGetLastError, recv, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, gethostbyname
                                              urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                              gdiplus.dllGdipAlloc, GdiplusStartup, GdipGetImageEncoders, GdipLoadImageFromStream, GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipCloneImage
                                              WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-11-23T06:53:34.237681+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649716154.216.17.2042404TCP
                                              2024-11-23T06:53:37.359161+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.649717178.237.33.5080TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 23, 2024 06:53:32.706047058 CET497162404192.168.2.6154.216.17.204
                                              Nov 23, 2024 06:53:32.826148033 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:53:32.826278925 CET497162404192.168.2.6154.216.17.204
                                              Nov 23, 2024 06:53:32.832211018 CET497162404192.168.2.6154.216.17.204
                                              Nov 23, 2024 06:53:32.951818943 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:53:34.197021961 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:53:34.237680912 CET497162404192.168.2.6154.216.17.204
                                              Nov 23, 2024 06:53:34.439949989 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:53:34.445780039 CET497162404192.168.2.6154.216.17.204
                                              Nov 23, 2024 06:53:34.565269947 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:53:34.565438986 CET497162404192.168.2.6154.216.17.204
                                              Nov 23, 2024 06:53:34.685056925 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:53:35.038661957 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:53:35.040812016 CET497162404192.168.2.6154.216.17.204
                                              Nov 23, 2024 06:53:35.160310984 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:53:35.239934921 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:53:35.291276932 CET497162404192.168.2.6154.216.17.204
                                              Nov 23, 2024 06:53:35.941554070 CET4971780192.168.2.6178.237.33.50
                                              Nov 23, 2024 06:53:36.061379910 CET8049717178.237.33.50192.168.2.6
                                              Nov 23, 2024 06:53:36.061475039 CET4971780192.168.2.6178.237.33.50
                                              Nov 23, 2024 06:53:36.062536955 CET4971780192.168.2.6178.237.33.50
                                              Nov 23, 2024 06:53:36.182101011 CET8049717178.237.33.50192.168.2.6
                                              Nov 23, 2024 06:53:37.359110117 CET8049717178.237.33.50192.168.2.6
                                              Nov 23, 2024 06:53:37.359160900 CET4971780192.168.2.6178.237.33.50
                                              Nov 23, 2024 06:53:37.387612104 CET497162404192.168.2.6154.216.17.204
                                              Nov 23, 2024 06:53:37.507172108 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:53:38.358895063 CET8049717178.237.33.50192.168.2.6
                                              Nov 23, 2024 06:53:38.359399080 CET4971780192.168.2.6178.237.33.50
                                              Nov 23, 2024 06:53:42.918756962 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:53:42.920947075 CET497162404192.168.2.6154.216.17.204
                                              Nov 23, 2024 06:53:43.040863037 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:54:12.917431116 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:54:12.919126987 CET497162404192.168.2.6154.216.17.204
                                              Nov 23, 2024 06:54:13.038533926 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:54:42.922408104 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:54:42.926476002 CET497162404192.168.2.6154.216.17.204
                                              Nov 23, 2024 06:54:43.045980930 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:55:12.921695948 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:55:12.923235893 CET497162404192.168.2.6154.216.17.204
                                              Nov 23, 2024 06:55:13.042704105 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:55:25.792438984 CET4971780192.168.2.6178.237.33.50
                                              Nov 23, 2024 06:55:26.135339975 CET4971780192.168.2.6178.237.33.50
                                              Nov 23, 2024 06:55:26.822825909 CET4971780192.168.2.6178.237.33.50
                                              Nov 23, 2024 06:55:28.096142054 CET4971780192.168.2.6178.237.33.50
                                              Nov 23, 2024 06:55:30.635356903 CET4971780192.168.2.6178.237.33.50
                                              Nov 23, 2024 06:55:35.729151011 CET4971780192.168.2.6178.237.33.50
                                              Nov 23, 2024 06:55:42.916759968 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:55:42.918409109 CET497162404192.168.2.6154.216.17.204
                                              Nov 23, 2024 06:55:43.039695978 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:55:45.932235003 CET4971780192.168.2.6178.237.33.50
                                              Nov 23, 2024 06:56:12.937724113 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:56:12.939301014 CET497162404192.168.2.6154.216.17.204
                                              Nov 23, 2024 06:56:13.058947086 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:56:42.927361965 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:56:42.929501057 CET497162404192.168.2.6154.216.17.204
                                              Nov 23, 2024 06:56:43.048937082 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:57:12.944139957 CET240449716154.216.17.204192.168.2.6
                                              Nov 23, 2024 06:57:12.945914030 CET497162404192.168.2.6154.216.17.204
                                              Nov 23, 2024 06:57:13.065445900 CET240449716154.216.17.204192.168.2.6

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 23, 2024 06:53:31.878846884 CET6175253192.168.2.61.1.1.1
                                              Nov 23, 2024 06:53:32.701870918 CET53617521.1.1.1192.168.2.6
                                              Nov 23, 2024 06:53:35.799992085 CET5224953192.168.2.61.1.1.1
                                              Nov 23, 2024 06:53:35.937406063 CET53522491.1.1.1192.168.2.6

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Nov 23, 2024 06:53:31.878846884 CET192.168.2.61.1.1.10x5341Standard query (0)escoclar.duckdns.orgA (IP address)IN (0x0001)false
                                              Nov 23, 2024 06:53:35.799992085 CET192.168.2.61.1.1.10xaf9aStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Nov 23, 2024 06:53:32.701870918 CET1.1.1.1192.168.2.60x5341No error (0)escoclar.duckdns.org154.216.17.204A (IP address)IN (0x0001)false
                                              Nov 23, 2024 06:53:35.937406063 CET1.1.1.1192.168.2.60xaf9aNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • geoplugin.net

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.649717178.237.33.50806944C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe
                                              TimestampBytes transferredDirectionData
                                              Nov 23, 2024 06:53:36.062536955 CET71OUTGET /json.gp HTTP/1.1
                                              Host: geoplugin.net
                                              Cache-Control: no-cache
                                              Nov 23, 2024 06:53:37.359110117 CET1170INHTTP/1.1 200 OK
                                              date: Sat, 23 Nov 2024 05:53:37 GMT
                                              server: Apache
                                              content-length: 962
                                              content-type: application/json; charset=utf-8
                                              cache-control: public, max-age=300
                                              access-control-allow-origin: *
                                              Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                              Data Ascii: { "geoplugin_request":"8.46.123.75", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:00:53:30
                                              Start date:23/11/2024
                                              Path:C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe"
                                              Imagebase:0x400000
                                              File size:493'056 bytes
                                              MD5 hash:C2B0F048825A3D1D08DF209C48B7531C
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.2323818165.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.2323818165.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.2323818165.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.2323818165.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4775165264.000000000068E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:false

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:4.3%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:22.8%
                                                Total number of Nodes:1327
                                                Total number of Limit Nodes:62
                                                execution_graph 45953 41d4d0 45955 41d4e6 ctype ___scrt_fastfail 45953->45955 45954 41d6e3 45959 41d734 45954->45959 45969 41d071 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 45954->45969 45955->45954 45957 431f99 21 API calls 45955->45957 45962 41d696 ___scrt_fastfail 45957->45962 45958 41d6f4 45958->45959 45960 41d760 45958->45960 45970 431f99 45958->45970 45960->45959 45978 41d474 21 API calls ___scrt_fastfail 45960->45978 45962->45959 45964 431f99 21 API calls 45962->45964 45967 41d6be ___scrt_fastfail 45964->45967 45965 41d72d ___scrt_fastfail 45965->45959 45975 43264f 45965->45975 45967->45959 45968 431f99 21 API calls 45967->45968 45968->45954 45969->45958 45971 431fa7 45970->45971 45973 431fa3 45970->45973 45979 43a88c 45971->45979 45973->45965 45988 43256f 45975->45988 45977 432657 45977->45960 45978->45959 45985 446aff _strftime 45979->45985 45980 446b3d 45987 445354 20 API calls _free 45980->45987 45981 446b28 RtlAllocateHeap 45983 431fac 45981->45983 45981->45985 45983->45965 45985->45980 45985->45981 45986 442200 7 API calls 2 library calls 45985->45986 45986->45985 45987->45983 45989 432588 45988->45989 45993 43257e 45988->45993 45990 431f99 21 API calls 45989->45990 45989->45993 45991 4325a9 45990->45991 45991->45993 45994 43293a CryptAcquireContextA 45991->45994 45993->45977 45995 432956 45994->45995 45996 43295b CryptGenRandom 45994->45996 45995->45993 45996->45995 45997 432970 CryptReleaseContext 45996->45997 45997->45995 45998 426030 46003 4260f7 recv 45998->46003 46004 44e8b6 46005 44e8c1 46004->46005 46006 44e8e9 46005->46006 46008 44e8da 46005->46008 46007 44e8f8 46006->46007 46026 455573 27 API calls 2 library calls 46006->46026 46013 44b9be 46007->46013 46025 445354 20 API calls _free 46008->46025 46011 44e8df ___scrt_fastfail 46014 44b9d6 46013->46014 46015 44b9cb 46013->46015 46017 44b9de 46014->46017 46023 44b9e7 _strftime 46014->46023 46033 446aff 21 API calls 3 library calls 46015->46033 46027 446ac5 46017->46027 46019 44ba11 RtlReAllocateHeap 46021 44b9d3 46019->46021 46019->46023 46020 44b9ec 46034 445354 20 API calls _free 46020->46034 46021->46011 46023->46019 46023->46020 46035 442200 7 API calls 2 library calls 46023->46035 46025->46011 46026->46007 46028 446ad0 RtlFreeHeap 46027->46028 46029 446af9 _free 46027->46029 46028->46029 46030 446ae5 46028->46030 46029->46021 46036 445354 20 API calls _free 46030->46036 46032 446aeb GetLastError 46032->46029 46033->46021 46034->46021 46035->46023 46036->46032 46037 426091 46042 42610e send 46037->46042 46043 425e56 46044 425e6b 46043->46044 46047 425f0b 46043->46047 46045 425f25 46044->46045 46046 425f5a 46044->46046 46044->46047 46048 425eb9 46044->46048 46049 425f77 46044->46049 46050 425f9e 46044->46050 46056 425eee 46044->46056 46071 424354 50 API calls ctype 46044->46071 46045->46046 46045->46047 46074 41f075 54 API calls 46045->46074 46046->46049 46075 424b7b 21 API calls 46046->46075 46048->46047 46048->46056 46072 41f075 54 API calls 46048->46072 46049->46047 46049->46050 46059 424f78 46049->46059 46050->46047 46076 4255c7 28 API calls 46050->46076 46056->46045 46056->46047 46073 424354 50 API calls ctype 46056->46073 46060 424f97 ___scrt_fastfail 46059->46060 46063 424fa6 46060->46063 46067 424fcb 46060->46067 46077 41e097 21 API calls 46060->46077 46061 424fab 46066 424fb4 46061->46066 46061->46067 46079 41cf6e 50 API calls 46061->46079 46063->46061 46063->46067 46078 41fad4 47 API calls 46063->46078 46066->46067 46080 424185 21 API calls 2 library calls 46066->46080 46067->46050 46069 42504e 46069->46067 46070 431f99 21 API calls 46069->46070 46070->46061 46071->46048 46072->46048 46073->46045 46074->46045 46075->46049 46076->46047 46077->46063 46078->46069 46079->46066 46080->46067 46081 43a998 46083 43a9a4 _swprintf __FrameHandler3::FrameUnwindToState 46081->46083 46082 43a9b2 46099 445354 20 API calls _free 46082->46099 46083->46082 46087 43a9dc 46083->46087 46085 43a9b7 46100 43a827 26 API calls _Deallocate 46085->46100 46094 444acc EnterCriticalSection 46087->46094 46089 43a9e7 46095 43aa88 46089->46095 46092 43a9c2 __fread_nolock 46094->46089 46097 43aa96 46095->46097 46096 43a9f2 46101 43aa0f LeaveCriticalSection std::_Lockit::~_Lockit 46096->46101 46097->46096 46102 448416 39 API calls 2 library calls 46097->46102 46099->46085 46100->46092 46101->46092 46102->46097 46103 414dba 46118 41a51b 46103->46118 46105 414dc3 46128 401fbd 46105->46128 46109 414dde 46110 4161f2 46109->46110 46133 401eea 46109->46133 46137 401d8c 46110->46137 46113 4161fb 46114 401eea 26 API calls 46113->46114 46115 416207 46114->46115 46116 401eea 26 API calls 46115->46116 46117 416213 46116->46117 46119 41a529 46118->46119 46120 43a88c ___crtLCMapStringA 21 API calls 46119->46120 46121 41a533 InternetOpenW InternetOpenUrlW 46120->46121 46122 41a55c InternetReadFile 46121->46122 46127 41a57f 46122->46127 46124 41a5ac InternetCloseHandle InternetCloseHandle 46125 41a5be 46124->46125 46125->46105 46126 401eea 26 API calls 46126->46127 46127->46122 46127->46124 46127->46126 46143 401f86 46127->46143 46129 401fcc 46128->46129 46152 402501 46129->46152 46131 401fea 46132 404468 60 API calls ctype 46131->46132 46132->46109 46134 4021b9 46133->46134 46135 4021e8 46134->46135 46157 40262e 26 API calls _Deallocate 46134->46157 46135->46110 46138 40200a 46137->46138 46142 40203a 46138->46142 46158 402654 26 API calls 46138->46158 46140 40202b 46159 4026ba 26 API calls _Deallocate 46140->46159 46142->46113 46144 401f8e 46143->46144 46147 402325 46144->46147 46146 401fa4 46146->46127 46148 40232f 46147->46148 46149 40233a 46148->46149 46151 40294a 28 API calls 46148->46151 46149->46146 46151->46149 46153 40250d 46152->46153 46155 40252b 46153->46155 46156 40261a 28 API calls 46153->46156 46155->46131 46156->46155 46157->46135 46158->46140 46159->46142 46160 402bcc 46161 402bd7 46160->46161 46162 402bdf 46160->46162 46178 403315 28 API calls 2 library calls 46161->46178 46164 402beb 46162->46164 46168 4015d3 46162->46168 46166 402bdd 46170 43360d 46168->46170 46169 43a88c ___crtLCMapStringA 21 API calls 46169->46170 46170->46169 46171 402be9 46170->46171 46174 43362e std::_Facet_Register 46170->46174 46179 442200 7 API calls 2 library calls 46170->46179 46173 433dec std::_Facet_Register 46181 437bd7 RaiseException 46173->46181 46174->46173 46180 437bd7 RaiseException 46174->46180 46177 433e09 46178->46166 46179->46170 46180->46173 46181->46177 46182 4339be 46183 4339ca __FrameHandler3::FrameUnwindToState 46182->46183 46214 4336b3 46183->46214 46185 4339d1 46186 433b24 46185->46186 46189 4339fb 46185->46189 46514 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46186->46514 46188 433b2b 46515 4426be 28 API calls _abort 46188->46515 46191 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46189->46191 46508 4434d1 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 46189->46508 46199 433a9b 46191->46199 46510 43edf4 38 API calls 3 library calls 46191->46510 46192 433b31 46516 442670 28 API calls _abort 46192->46516 46195 433a14 46197 433a1a 46195->46197 46509 443475 5 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 46195->46509 46196 433b39 46225 433c5e 46199->46225 46208 433abd 46208->46188 46209 433ac1 46208->46209 46210 433aca 46209->46210 46512 442661 28 API calls _abort 46209->46512 46513 433842 13 API calls 2 library calls 46210->46513 46213 433ad2 46213->46197 46215 4336bc 46214->46215 46517 433e0a IsProcessorFeaturePresent 46215->46517 46217 4336c8 46518 4379ee 10 API calls 3 library calls 46217->46518 46219 4336cd 46224 4336d1 46219->46224 46519 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46219->46519 46221 4336da 46222 4336e8 46221->46222 46520 437a17 8 API calls 3 library calls 46221->46520 46222->46185 46224->46185 46521 436050 46225->46521 46228 433aa1 46229 443422 46228->46229 46523 44ddc9 46229->46523 46231 433aaa 46234 40d767 46231->46234 46232 44342b 46232->46231 46527 44e0d3 38 API calls 46232->46527 46529 41bce3 LoadLibraryA GetProcAddress 46234->46529 46236 40d783 GetModuleFileNameW 46534 40e168 46236->46534 46238 40d79f 46239 401fbd 28 API calls 46238->46239 46240 40d7ae 46239->46240 46241 401fbd 28 API calls 46240->46241 46242 40d7bd 46241->46242 46549 41afc3 46242->46549 46246 40d7cf 46247 401d8c 26 API calls 46246->46247 46248 40d7d8 46247->46248 46249 40d835 46248->46249 46250 40d7eb 46248->46250 46574 401d64 46249->46574 46828 40e986 111 API calls 46250->46828 46253 40d845 46256 401d64 28 API calls 46253->46256 46254 40d7fd 46255 401d64 28 API calls 46254->46255 46258 40d809 46255->46258 46257 40d864 46256->46257 46579 404cbf 46257->46579 46829 40e937 68 API calls 46258->46829 46260 40d873 46583 405ce6 46260->46583 46263 40d87f 46586 401eef 46263->46586 46264 40d824 46830 40e155 68 API calls 46264->46830 46267 40d88b 46268 401eea 26 API calls 46267->46268 46269 40d894 46268->46269 46271 401eea 26 API calls 46269->46271 46270 401eea 26 API calls 46272 40dc9f 46270->46272 46273 40d89d 46271->46273 46511 433c94 GetModuleHandleW 46272->46511 46274 401d64 28 API calls 46273->46274 46275 40d8a6 46274->46275 46590 401ebd 46275->46590 46277 40d8b1 46278 401d64 28 API calls 46277->46278 46279 40d8ca 46278->46279 46280 401d64 28 API calls 46279->46280 46282 40d8e5 46280->46282 46281 40d946 46283 401d64 28 API calls 46281->46283 46298 40e134 46281->46298 46282->46281 46831 4085b4 46282->46831 46289 40d95d 46283->46289 46285 40d912 46286 401eef 26 API calls 46285->46286 46287 40d91e 46286->46287 46290 401eea 26 API calls 46287->46290 46288 40d9a4 46594 40bed7 46288->46594 46289->46288 46295 4124b7 3 API calls 46289->46295 46292 40d927 46290->46292 46835 4124b7 RegOpenKeyExA 46292->46835 46293 40d9aa 46294 40d82d 46293->46294 46597 41a463 46293->46597 46294->46270 46300 40d988 46295->46300 46913 412902 30 API calls 46298->46913 46299 40d9c5 46301 40da18 46299->46301 46614 40697b 46299->46614 46300->46288 46838 412902 30 API calls 46300->46838 46304 401d64 28 API calls 46301->46304 46306 40da21 46304->46306 46315 40da32 46306->46315 46316 40da2d 46306->46316 46308 40e14a 46914 4112b5 64 API calls ___scrt_fastfail 46308->46914 46309 40d9e4 46839 40699d 30 API calls 46309->46839 46310 40d9ee 46314 401d64 28 API calls 46310->46314 46323 40d9f7 46314->46323 46320 401d64 28 API calls 46315->46320 46842 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46316->46842 46317 40d9e9 46840 4064d0 97 API calls 46317->46840 46321 40da3b 46320->46321 46618 41ae08 46321->46618 46323->46301 46326 40da13 46323->46326 46324 40da46 46622 401e18 46324->46622 46841 4064d0 97 API calls 46326->46841 46327 40da51 46626 401e13 46327->46626 46330 40da5a 46331 401d64 28 API calls 46330->46331 46332 40da63 46331->46332 46333 401d64 28 API calls 46332->46333 46334 40da7d 46333->46334 46335 401d64 28 API calls 46334->46335 46336 40da97 46335->46336 46337 401d64 28 API calls 46336->46337 46339 40dab0 46337->46339 46338 40db1d 46340 40db2c 46338->46340 46347 40dcaa ___scrt_fastfail 46338->46347 46339->46338 46341 401d64 28 API calls 46339->46341 46342 40db35 46340->46342 46370 40dbb1 ___scrt_fastfail 46340->46370 46345 40dac5 _wcslen 46341->46345 46343 401d64 28 API calls 46342->46343 46344 40db3e 46343->46344 46346 401d64 28 API calls 46344->46346 46345->46338 46348 401d64 28 API calls 46345->46348 46349 40db50 46346->46349 46902 41265d RegOpenKeyExA 46347->46902 46350 40dae0 46348->46350 46352 401d64 28 API calls 46349->46352 46354 401d64 28 API calls 46350->46354 46353 40db62 46352->46353 46357 401d64 28 API calls 46353->46357 46355 40daf5 46354->46355 46843 40c89e 46355->46843 46356 40dcef 46358 401d64 28 API calls 46356->46358 46359 40db8b 46357->46359 46360 40dd16 46358->46360 46365 401d64 28 API calls 46359->46365 46640 401f66 46360->46640 46363 401e18 26 API calls 46364 40db14 46363->46364 46367 401e13 26 API calls 46364->46367 46368 40db9c 46365->46368 46367->46338 46900 40bc67 46 API calls _wcslen 46368->46900 46369 40dd25 46644 4126d2 RegCreateKeyA 46369->46644 46630 4128a2 46370->46630 46375 40dc45 ctype 46379 401d64 28 API calls 46375->46379 46376 40dbac 46376->46370 46377 401d64 28 API calls 46378 40dd47 46377->46378 46650 43a5e7 46378->46650 46380 40dc5c 46379->46380 46380->46356 46384 40dc70 46380->46384 46383 40dd5e 46905 41beb0 87 API calls ___scrt_fastfail 46383->46905 46386 401d64 28 API calls 46384->46386 46385 40dd81 46391 401f66 28 API calls 46385->46391 46388 40dc7e 46386->46388 46389 41ae08 28 API calls 46388->46389 46393 40dc87 46389->46393 46390 40dd65 CreateThread 46390->46385 47608 41c96f 10 API calls 46390->47608 46392 40dd96 46391->46392 46394 401f66 28 API calls 46392->46394 46901 40e219 112 API calls 46393->46901 46396 40dda5 46394->46396 46654 41a686 46396->46654 46397 40dc8c 46397->46356 46399 40dc93 46397->46399 46399->46294 46401 401d64 28 API calls 46402 40ddb6 46401->46402 46403 401d64 28 API calls 46402->46403 46404 40ddcb 46403->46404 46405 401d64 28 API calls 46404->46405 46406 40ddeb 46405->46406 46407 43a5e7 _strftime 42 API calls 46406->46407 46408 40ddf8 46407->46408 46409 401d64 28 API calls 46408->46409 46410 40de03 46409->46410 46411 401d64 28 API calls 46410->46411 46412 40de14 46411->46412 46413 401d64 28 API calls 46412->46413 46414 40de29 46413->46414 46415 401d64 28 API calls 46414->46415 46416 40de3a 46415->46416 46417 40de41 StrToIntA 46416->46417 46678 409517 46417->46678 46420 401d64 28 API calls 46421 40de5c 46420->46421 46422 40dea1 46421->46422 46423 40de68 46421->46423 46425 401d64 28 API calls 46422->46425 46906 43360d 22 API calls 3 library calls 46423->46906 46427 40deb1 46425->46427 46426 40de71 46428 401d64 28 API calls 46426->46428 46430 40def9 46427->46430 46431 40debd 46427->46431 46429 40de84 46428->46429 46432 40de8b CreateThread 46429->46432 46434 401d64 28 API calls 46430->46434 46907 43360d 22 API calls 3 library calls 46431->46907 46432->46422 47605 419128 109 API calls 2 library calls 46432->47605 46436 40df02 46434->46436 46435 40dec6 46437 401d64 28 API calls 46435->46437 46439 40df6c 46436->46439 46440 40df0e 46436->46440 46438 40ded8 46437->46438 46443 40dedf CreateThread 46438->46443 46441 401d64 28 API calls 46439->46441 46442 401d64 28 API calls 46440->46442 46444 40df75 46441->46444 46445 40df1e 46442->46445 46443->46430 47610 419128 109 API calls 2 library calls 46443->47610 46446 40df81 46444->46446 46447 40dfba 46444->46447 46448 401d64 28 API calls 46445->46448 46450 401d64 28 API calls 46446->46450 46703 41a7a2 GetComputerNameExW GetUserNameW 46447->46703 46451 40df33 46448->46451 46453 40df8a 46450->46453 46908 40c854 32 API calls 46451->46908 46458 401d64 28 API calls 46453->46458 46454 401e18 26 API calls 46455 40dfce 46454->46455 46457 401e13 26 API calls 46455->46457 46460 40dfd7 46457->46460 46461 40df9f 46458->46461 46459 40df46 46462 401e18 26 API calls 46459->46462 46463 40dfe0 SetProcessDEPPolicy 46460->46463 46464 40dfe3 CreateThread 46460->46464 46472 43a5e7 _strftime 42 API calls 46461->46472 46465 40df52 46462->46465 46463->46464 46466 40e004 46464->46466 46467 40dff8 CreateThread 46464->46467 47578 40e54f 46464->47578 46468 401e13 26 API calls 46465->46468 46470 40e019 46466->46470 46471 40e00d CreateThread 46466->46471 46467->46466 47606 410f36 138 API calls 46467->47606 46469 40df5b CreateThread 46468->46469 46469->46439 47607 40196b 49 API calls _strftime 46469->47607 46474 40e073 46470->46474 46476 401f66 28 API calls 46470->46476 46471->46470 47609 411524 38 API calls ___scrt_fastfail 46471->47609 46473 40dfac 46472->46473 46909 40b95c 7 API calls 46473->46909 46714 41246e RegOpenKeyExA 46474->46714 46477 40e046 46476->46477 46910 404c9e 28 API calls 46477->46910 46481 40e053 46483 401f66 28 API calls 46481->46483 46482 40e12a 46726 40cbac 46482->46726 46485 40e062 46483->46485 46484 41ae08 28 API calls 46487 40e0a4 46484->46487 46488 41a686 79 API calls 46485->46488 46717 412584 RegOpenKeyExW 46487->46717 46490 40e067 46488->46490 46492 401eea 26 API calls 46490->46492 46492->46474 46495 401e13 26 API calls 46498 40e0c5 46495->46498 46496 40e0ed DeleteFileW 46497 40e0f4 46496->46497 46496->46498 46499 41ae08 28 API calls 46497->46499 46498->46496 46498->46497 46500 40e0db Sleep 46498->46500 46501 40e104 46499->46501 46911 401e07 46500->46911 46722 41297a RegOpenKeyExW 46501->46722 46504 40e117 46505 401e13 26 API calls 46504->46505 46506 40e121 46505->46506 46507 401e13 26 API calls 46506->46507 46507->46482 46508->46195 46509->46191 46510->46199 46511->46208 46512->46210 46513->46213 46514->46188 46515->46192 46516->46196 46517->46217 46518->46219 46519->46221 46520->46224 46522 433c71 GetStartupInfoW 46521->46522 46522->46228 46524 44dddb 46523->46524 46525 44ddd2 46523->46525 46524->46232 46528 44dcc8 51 API calls 4 library calls 46525->46528 46527->46232 46528->46524 46530 41bd22 LoadLibraryA GetProcAddress 46529->46530 46531 41bd12 GetModuleHandleA GetProcAddress 46529->46531 46532 41bd4b 32 API calls 46530->46532 46533 41bd3b LoadLibraryA GetProcAddress 46530->46533 46531->46530 46532->46236 46533->46532 46915 41a63f FindResourceA 46534->46915 46537 43a88c ___crtLCMapStringA 21 API calls 46538 40e192 ctype 46537->46538 46539 401f86 28 API calls 46538->46539 46540 40e1ad 46539->46540 46541 401eef 26 API calls 46540->46541 46542 40e1b8 46541->46542 46543 401eea 26 API calls 46542->46543 46544 40e1c1 46543->46544 46545 43a88c ___crtLCMapStringA 21 API calls 46544->46545 46546 40e1d2 ctype 46545->46546 46918 406052 46546->46918 46548 40e205 46548->46238 46550 41afd6 46549->46550 46553 41b048 46550->46553 46562 401eef 26 API calls 46550->46562 46565 401eea 26 API calls 46550->46565 46569 41b046 46550->46569 46921 403b60 46550->46921 46924 41bfa9 28 API calls 46550->46924 46551 401eea 26 API calls 46552 41b078 46551->46552 46554 401eea 26 API calls 46552->46554 46556 403b60 28 API calls 46553->46556 46555 41b080 46554->46555 46558 401eea 26 API calls 46555->46558 46559 41b054 46556->46559 46560 40d7c6 46558->46560 46561 401eef 26 API calls 46559->46561 46570 40e8bd 46560->46570 46563 41b05d 46561->46563 46562->46550 46564 401eea 26 API calls 46563->46564 46566 41b065 46564->46566 46565->46550 46925 41bfa9 28 API calls 46566->46925 46569->46551 46571 40e8ca 46570->46571 46573 40e8da 46571->46573 46942 40200a 26 API calls 46571->46942 46573->46246 46575 401d6c 46574->46575 46576 401d74 46575->46576 46943 401fff 28 API calls 46575->46943 46576->46253 46580 404ccb 46579->46580 46944 402e78 46580->46944 46582 404cee 46582->46260 46953 404bc4 46583->46953 46585 405cf4 46585->46263 46587 401efe 46586->46587 46589 401f0a 46587->46589 46962 4021b9 26 API calls 46587->46962 46589->46267 46592 401ec9 46590->46592 46591 401ee4 46591->46277 46592->46591 46593 402325 28 API calls 46592->46593 46593->46591 46963 401e8f 46594->46963 46596 40bee1 CreateMutexA GetLastError 46596->46293 46965 41b15b 46597->46965 46599 41a471 46969 412513 RegOpenKeyExA 46599->46969 46602 401eef 26 API calls 46603 41a49f 46602->46603 46604 401eea 26 API calls 46603->46604 46605 41a4a7 46604->46605 46606 41a4fa 46605->46606 46607 412513 31 API calls 46605->46607 46606->46299 46608 41a4cd 46607->46608 46609 41a4d8 StrToIntA 46608->46609 46610 41a4ef 46609->46610 46611 41a4e6 46609->46611 46612 401eea 26 API calls 46610->46612 46974 41c102 28 API calls 46611->46974 46612->46606 46615 40698f 46614->46615 46616 4124b7 3 API calls 46615->46616 46617 406996 46616->46617 46617->46309 46617->46310 46619 41ae1c 46618->46619 46975 40b027 46619->46975 46621 41ae24 46621->46324 46623 401e27 46622->46623 46625 401e33 46623->46625 46984 402121 26 API calls 46623->46984 46625->46327 46627 402121 46626->46627 46628 402150 46627->46628 46985 402718 26 API calls _Deallocate 46627->46985 46628->46330 46631 4128c0 46630->46631 46632 406052 28 API calls 46631->46632 46633 4128d5 46632->46633 46634 401fbd 28 API calls 46633->46634 46635 4128e5 46634->46635 46636 4126d2 29 API calls 46635->46636 46637 4128ef 46636->46637 46638 401eea 26 API calls 46637->46638 46639 4128fc 46638->46639 46639->46375 46641 401f6e 46640->46641 46986 402301 46641->46986 46645 412722 46644->46645 46647 4126eb 46644->46647 46646 401eea 26 API calls 46645->46646 46648 40dd3b 46646->46648 46649 4126fd RegSetValueExA RegCloseKey 46647->46649 46648->46377 46649->46645 46651 43a600 _strftime 46650->46651 46990 43993e 46651->46990 46655 41a737 46654->46655 46656 41a69c GetLocalTime 46654->46656 46657 401eea 26 API calls 46655->46657 46658 404cbf 28 API calls 46656->46658 46659 41a73f 46657->46659 46660 41a6de 46658->46660 46662 401eea 26 API calls 46659->46662 46661 405ce6 28 API calls 46660->46661 46663 41a6ea 46661->46663 46664 40ddaa 46662->46664 47024 4027cb 46663->47024 46664->46401 46666 41a6f6 46667 405ce6 28 API calls 46666->46667 46668 41a702 46667->46668 47027 406478 76 API calls 46668->47027 46670 41a710 46671 401eea 26 API calls 46670->46671 46672 41a71c 46671->46672 46673 401eea 26 API calls 46672->46673 46674 41a725 46673->46674 46675 401eea 26 API calls 46674->46675 46676 41a72e 46675->46676 46677 401eea 26 API calls 46676->46677 46677->46655 46679 409536 _wcslen 46678->46679 46680 409541 46679->46680 46681 409558 46679->46681 46682 40c89e 32 API calls 46680->46682 46683 40c89e 32 API calls 46681->46683 46684 409549 46682->46684 46685 409560 46683->46685 46686 401e18 26 API calls 46684->46686 46687 401e18 26 API calls 46685->46687 46689 409553 46686->46689 46688 40956e 46687->46688 46690 401e13 26 API calls 46688->46690 46692 401e13 26 API calls 46689->46692 46691 409576 46690->46691 47047 40856b 28 API calls 46691->47047 46694 4095ad 46692->46694 47032 409837 46694->47032 46695 409588 47048 4028cf 46695->47048 46699 409593 46700 401e18 26 API calls 46699->46700 46701 40959d 46700->46701 46702 401e13 26 API calls 46701->46702 46702->46689 47230 403b40 46703->47230 46707 41a7fd 46708 4028cf 28 API calls 46707->46708 46709 41a807 46708->46709 46710 401e13 26 API calls 46709->46710 46711 41a810 46710->46711 46712 401e13 26 API calls 46711->46712 46713 40dfc3 46712->46713 46713->46454 46715 40e08b 46714->46715 46716 41248f RegQueryValueExA RegCloseKey 46714->46716 46715->46482 46715->46484 46716->46715 46718 4125b0 RegQueryValueExW RegCloseKey 46717->46718 46719 4125dd 46717->46719 46718->46719 46720 403b40 28 API calls 46719->46720 46721 40e0ba 46720->46721 46721->46495 46723 412992 RegDeleteValueW 46722->46723 46724 4129a6 46722->46724 46723->46724 46725 4129a2 46723->46725 46724->46504 46725->46504 46727 40cbc5 46726->46727 46728 41246e 3 API calls 46727->46728 46729 40cbcc 46728->46729 46730 40cbeb 46729->46730 47252 401602 46729->47252 46734 413fd4 46730->46734 46732 40cbd9 47255 4127d5 RegCreateKeyA 46732->47255 46735 413feb 46734->46735 47272 41aa73 46735->47272 46737 413ff6 46738 401d64 28 API calls 46737->46738 46739 41400f 46738->46739 46740 43a5e7 _strftime 42 API calls 46739->46740 46741 41401c 46740->46741 46742 414021 Sleep 46741->46742 46743 41402e 46741->46743 46742->46743 46744 401f66 28 API calls 46743->46744 46745 41403d 46744->46745 46746 401d64 28 API calls 46745->46746 46747 41404b 46746->46747 46748 401fbd 28 API calls 46747->46748 46749 414053 46748->46749 46750 41afc3 28 API calls 46749->46750 46751 41405b 46750->46751 47276 404262 WSAStartup 46751->47276 46753 414065 46754 401d64 28 API calls 46753->46754 46755 41406e 46754->46755 46756 401d64 28 API calls 46755->46756 46804 4140ed 46755->46804 46757 414087 46756->46757 46759 401d64 28 API calls 46757->46759 46758 401d64 28 API calls 46758->46804 46761 414098 46759->46761 46760 401fbd 28 API calls 46760->46804 46763 401d64 28 API calls 46761->46763 46762 41afc3 28 API calls 46762->46804 46764 4140a9 46763->46764 46766 401d64 28 API calls 46764->46766 46765 4085b4 28 API calls 46765->46804 46767 4140ba 46766->46767 46768 401d64 28 API calls 46767->46768 46770 4140cb 46768->46770 46769 401eef 26 API calls 46769->46804 46772 401d64 28 API calls 46770->46772 46771 401eea 26 API calls 46771->46804 46773 4140dd 46772->46773 47409 404101 87 API calls 46773->47409 46775 405ce6 28 API calls 46775->46804 46777 414244 WSAGetLastError 47410 41bc76 30 API calls 46777->47410 46781 401f66 28 API calls 46826 414259 46781->46826 46784 41a686 79 API calls 46784->46826 46786 404cbf 28 API calls 46786->46804 46787 401d64 28 API calls 46787->46826 46788 401d8c 26 API calls 46788->46826 46789 43a5e7 _strftime 42 API calls 46790 414b80 Sleep 46789->46790 46790->46826 46791 4027cb 28 API calls 46791->46804 46792 401f66 28 API calls 46792->46804 46793 41a686 79 API calls 46793->46804 46796 4082dc 28 API calls 46796->46804 46797 440c51 26 API calls 46797->46804 46798 41265d 3 API calls 46798->46804 46799 412513 31 API calls 46799->46804 46800 403b40 28 API calls 46800->46804 46804->46758 46804->46760 46804->46762 46804->46765 46804->46769 46804->46771 46804->46775 46804->46777 46804->46786 46804->46791 46804->46792 46804->46793 46804->46796 46804->46797 46804->46798 46804->46799 46804->46800 46805 41ad46 28 API calls 46804->46805 46806 401d64 28 API calls 46804->46806 46804->46826 47277 413f9a 46804->47277 47282 4041f1 46804->47282 47289 404915 46804->47289 47304 40428c connect 46804->47304 47364 41a96d 46804->47364 47367 413683 46804->47367 47370 40cbf1 46804->47370 47376 41adee 46804->47376 47379 41aec8 46804->47379 46805->46804 46807 4144ed GetTickCount 46806->46807 46808 41ad46 28 API calls 46807->46808 46821 414507 46808->46821 46810 41ad46 28 API calls 46810->46821 46813 41aec8 28 API calls 46813->46821 46815 40275c 28 API calls 46815->46821 46816 405ce6 28 API calls 46816->46821 46817 4027cb 28 API calls 46817->46821 46819 401eea 26 API calls 46819->46821 46820 401e13 26 API calls 46820->46821 46821->46810 46821->46813 46821->46815 46821->46816 46821->46817 46821->46819 46821->46820 47383 41aca0 GetLastInputInfo GetTickCount 46821->47383 47384 41ac52 46821->47384 47389 40e679 GetLocaleInfoA 46821->47389 47392 4027ec 28 API calls 46821->47392 47393 4045d5 46821->47393 47412 404468 60 API calls ctype 46821->47412 46824 414b22 CreateThread 46824->46826 47571 419e89 103 API calls 46824->47571 46825 401eea 26 API calls 46825->46826 46826->46781 46826->46784 46826->46787 46826->46788 46826->46789 46826->46804 46826->46824 46826->46825 46827 401e13 26 API calls 46826->46827 47411 404c9e 28 API calls 46826->47411 47413 40a767 84 API calls 46826->47413 47414 4047eb 98 API calls 46826->47414 46827->46826 46828->46254 46829->46264 46832 4085c0 46831->46832 46833 402e78 28 API calls 46832->46833 46834 4085e4 46833->46834 46834->46285 46836 4124e1 RegQueryValueExA RegCloseKey 46835->46836 46837 41250b 46835->46837 46836->46837 46837->46281 46838->46288 46839->46317 46840->46310 46841->46301 46842->46315 46844 40c8ba 46843->46844 46845 40c8da 46844->46845 46846 40c90f 46844->46846 46847 40c8d0 46844->46847 47572 41a74b 29 API calls 46845->47572 46848 41b15b 2 API calls 46846->46848 46850 40ca03 GetLongPathNameW 46847->46850 46852 40c914 46848->46852 46851 403b40 28 API calls 46850->46851 46854 40ca18 46851->46854 46855 40c918 46852->46855 46856 40c96a 46852->46856 46853 40c8e3 46857 401e18 26 API calls 46853->46857 46858 403b40 28 API calls 46854->46858 46860 403b40 28 API calls 46855->46860 46859 403b40 28 API calls 46856->46859 46861 40c8ed 46857->46861 46862 40ca27 46858->46862 46863 40c978 46859->46863 46864 40c926 46860->46864 46866 401e13 26 API calls 46861->46866 47575 40cc37 28 API calls 46862->47575 46869 403b40 28 API calls 46863->46869 46870 403b40 28 API calls 46864->46870 46866->46847 46867 40ca3a 47576 402860 28 API calls 46867->47576 46872 40c98e 46869->46872 46873 40c93c 46870->46873 46871 40ca45 47577 402860 28 API calls 46871->47577 47574 402860 28 API calls 46872->47574 47573 402860 28 API calls 46873->47573 46877 40ca4f 46880 401e13 26 API calls 46877->46880 46878 40c999 46881 401e18 26 API calls 46878->46881 46879 40c947 46882 401e18 26 API calls 46879->46882 46883 40ca59 46880->46883 46884 40c9a4 46881->46884 46885 40c952 46882->46885 46886 401e13 26 API calls 46883->46886 46887 401e13 26 API calls 46884->46887 46888 401e13 26 API calls 46885->46888 46890 40ca62 46886->46890 46891 40c9ad 46887->46891 46889 40c95b 46888->46889 46893 401e13 26 API calls 46889->46893 46894 401e13 26 API calls 46890->46894 46892 401e13 26 API calls 46891->46892 46892->46861 46893->46861 46895 40ca6b 46894->46895 46896 401e13 26 API calls 46895->46896 46897 40ca74 46896->46897 46898 401e13 26 API calls 46897->46898 46899 40ca7d 46898->46899 46899->46363 46900->46376 46901->46397 46903 412683 RegQueryValueExA RegCloseKey 46902->46903 46904 4126a7 46902->46904 46903->46904 46904->46356 46905->46390 46906->46426 46907->46435 46908->46459 46909->46447 46910->46481 46912 401e0c 46911->46912 46913->46308 46916 40e183 46915->46916 46917 41a65c LoadResource LockResource SizeofResource 46915->46917 46916->46537 46917->46916 46919 401f86 28 API calls 46918->46919 46920 406066 46919->46920 46920->46548 46926 403c30 46921->46926 46924->46550 46925->46569 46927 403c39 46926->46927 46930 403c59 46927->46930 46931 403c68 46930->46931 46936 4032a4 46931->46936 46933 403c74 46934 402325 28 API calls 46933->46934 46935 403b73 46934->46935 46935->46550 46937 4032b0 46936->46937 46938 4032ad 46936->46938 46941 4032b6 28 API calls 46937->46941 46938->46933 46942->46573 46945 402e85 46944->46945 46946 402ea9 46945->46946 46947 402e98 46945->46947 46949 402eae 46945->46949 46946->46582 46951 403445 28 API calls 46947->46951 46949->46946 46952 40225b 26 API calls 46949->46952 46951->46946 46952->46946 46954 404bd0 46953->46954 46957 40245c 46954->46957 46956 404be4 46956->46585 46958 402469 46957->46958 46960 402478 46958->46960 46961 402ad3 28 API calls 46958->46961 46960->46956 46961->46960 46962->46589 46964 401e94 46963->46964 46966 41b183 46965->46966 46967 41b168 GetCurrentProcess IsWow64Process 46965->46967 46966->46599 46967->46966 46968 41b17f 46967->46968 46968->46599 46970 412541 RegQueryValueExA RegCloseKey 46969->46970 46971 412569 46969->46971 46970->46971 46972 401f66 28 API calls 46971->46972 46973 41257e 46972->46973 46973->46602 46974->46610 46976 40b02f 46975->46976 46979 40b04b 46976->46979 46978 40b045 46978->46621 46980 40b055 46979->46980 46982 40b060 46980->46982 46983 40b138 28 API calls 46980->46983 46982->46978 46983->46982 46984->46625 46985->46628 46987 40230d 46986->46987 46988 402325 28 API calls 46987->46988 46989 401f80 46988->46989 46989->46369 47008 43a545 46990->47008 46992 43998b 47017 4392de 38 API calls 2 library calls 46992->47017 46993 439950 46993->46992 46994 439965 46993->46994 47007 40dd54 46993->47007 47015 445354 20 API calls _free 46994->47015 46997 43996a 47016 43a827 26 API calls _Deallocate 46997->47016 47000 439997 47001 4399c6 47000->47001 47018 43a58a 42 API calls __Tolower 47000->47018 47004 439a32 47001->47004 47019 43a4f1 26 API calls 2 library calls 47001->47019 47020 43a4f1 26 API calls 2 library calls 47004->47020 47005 439af9 _strftime 47005->47007 47021 445354 20 API calls _free 47005->47021 47007->46383 47007->46385 47009 43a54a 47008->47009 47010 43a55d 47008->47010 47022 445354 20 API calls _free 47009->47022 47010->46993 47012 43a54f 47023 43a827 26 API calls _Deallocate 47012->47023 47014 43a55a 47014->46993 47015->46997 47016->47007 47017->47000 47018->47000 47019->47004 47020->47005 47021->47007 47022->47012 47023->47014 47028 401e9b 47024->47028 47026 4027d9 47026->46666 47027->46670 47029 401ea7 47028->47029 47030 40245c 28 API calls 47029->47030 47031 401eb9 47030->47031 47031->47026 47033 409855 47032->47033 47034 4124b7 3 API calls 47033->47034 47035 40985c 47034->47035 47036 409870 47035->47036 47037 40988a 47035->47037 47038 4095cf 47036->47038 47039 409875 47036->47039 47051 4082dc 47037->47051 47038->46420 47041 4082dc 28 API calls 47039->47041 47043 409883 47041->47043 47077 409959 29 API calls 47043->47077 47046 409888 47046->47038 47047->46695 47221 402d8b 47048->47221 47050 4028dd 47050->46699 47052 4082eb 47051->47052 47078 408431 47052->47078 47054 408309 47055 4098a5 47054->47055 47083 40affa 47055->47083 47058 4098f6 47061 401f66 28 API calls 47058->47061 47059 4098ce 47060 401f66 28 API calls 47059->47060 47062 4098d8 47060->47062 47063 409901 47061->47063 47064 41ae08 28 API calls 47062->47064 47065 401f66 28 API calls 47063->47065 47066 4098e6 47064->47066 47067 409910 47065->47067 47087 40a876 31 API calls ___crtLCMapStringA 47066->47087 47069 41a686 79 API calls 47067->47069 47071 409915 CreateThread 47069->47071 47070 4098ed 47072 401eea 26 API calls 47070->47072 47073 409930 CreateThread 47071->47073 47074 40993c CreateThread 47071->47074 47093 4099a9 47071->47093 47072->47058 47073->47074 47099 409993 47073->47099 47075 401e13 26 API calls 47074->47075 47096 4099b5 47074->47096 47076 409950 47075->47076 47076->47038 47077->47046 47220 40999f 135 API calls 47077->47220 47079 40843d 47078->47079 47081 40845b 47079->47081 47082 402f0d 28 API calls 47079->47082 47081->47054 47082->47081 47085 40b006 47083->47085 47084 4098c3 47084->47058 47084->47059 47085->47084 47088 403b9e 47085->47088 47087->47070 47089 403ba8 47088->47089 47091 403bb3 47089->47091 47092 403cfd 28 API calls 47089->47092 47091->47084 47092->47091 47102 409e48 47093->47102 47149 40a3f4 47096->47149 47198 4099e4 47099->47198 47103 409e5d Sleep 47102->47103 47124 409d97 47103->47124 47105 4099b2 47106 409e9d CreateDirectoryW 47108 409e6f 47106->47108 47107 409eae GetFileAttributesW 47107->47108 47108->47103 47108->47105 47108->47106 47108->47107 47109 401d64 28 API calls 47108->47109 47110 409ec5 SetFileAttributesW 47108->47110 47112 409f3f PathFileExistsW 47108->47112 47114 401f86 28 API calls 47108->47114 47115 40a048 SetFileAttributesW 47108->47115 47117 401eea 26 API calls 47108->47117 47121 406052 28 API calls 47108->47121 47137 41b58f 47108->47137 47147 41b687 CreateFileW SetFilePointer WriteFile CloseHandle 47108->47147 47109->47108 47110->47108 47112->47108 47119 409f4a 47112->47119 47114->47108 47115->47108 47116 401eea 26 API calls 47116->47108 47117->47108 47118 406052 28 API calls 47118->47119 47119->47116 47119->47118 47120 401eef 26 API calls 47119->47120 47122 401eea 26 API calls 47119->47122 47146 41b61a 32 API calls 47119->47146 47120->47119 47121->47108 47122->47119 47125 409e44 47124->47125 47128 409dad 47124->47128 47125->47108 47126 409dcc CreateFileW 47127 409dda GetFileSize 47126->47127 47126->47128 47127->47128 47129 409e0f CloseHandle 47127->47129 47128->47126 47128->47129 47130 409e21 47128->47130 47131 409e04 Sleep 47128->47131 47132 409dfd 47128->47132 47129->47128 47130->47125 47134 4082dc 28 API calls 47130->47134 47131->47129 47148 40a7f0 83 API calls 47132->47148 47135 409e3d 47134->47135 47136 4098a5 126 API calls 47135->47136 47136->47125 47138 41b5a2 CreateFileW 47137->47138 47140 41b5db 47138->47140 47141 41b5df 47138->47141 47140->47108 47142 41b5f6 WriteFile 47141->47142 47143 41b5e6 SetFilePointer 47141->47143 47144 41b60b CloseHandle 47142->47144 47145 41b609 47142->47145 47143->47142 47143->47144 47144->47140 47145->47144 47146->47119 47147->47108 47148->47131 47177 40a402 47149->47177 47150 4099be 47151 40a45c Sleep GetForegroundWindow GetWindowTextLengthW 47152 40b027 28 API calls 47151->47152 47152->47177 47156 40a4a2 GetWindowTextW 47156->47177 47158 40a5ff 47161 401e13 26 API calls 47158->47161 47159 41aca0 GetLastInputInfo GetTickCount 47159->47177 47160 40affa 28 API calls 47160->47177 47161->47150 47162 40a569 Sleep 47162->47177 47165 401f66 28 API calls 47165->47177 47166 40a4f1 47168 4082dc 28 API calls 47166->47168 47166->47177 47182 40a876 31 API calls ___crtLCMapStringA 47166->47182 47168->47166 47170 405ce6 28 API calls 47170->47177 47172 4028cf 28 API calls 47172->47177 47173 41ae08 28 API calls 47173->47177 47174 409d58 27 API calls 47174->47177 47175 401e13 26 API calls 47175->47177 47176 401eea 26 API calls 47176->47177 47177->47150 47177->47151 47177->47156 47177->47158 47177->47159 47177->47160 47177->47162 47177->47165 47177->47166 47177->47170 47177->47172 47177->47173 47177->47174 47177->47175 47177->47176 47178 433519 5 API calls __Init_thread_wait 47177->47178 47179 4338a5 29 API calls __onexit 47177->47179 47180 4334cf EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 47177->47180 47181 4082a8 28 API calls 47177->47181 47183 40b0dd 28 API calls 47177->47183 47184 40ae58 44 API calls 2 library calls 47177->47184 47185 440c51 47177->47185 47189 404c9e 28 API calls 47177->47189 47178->47177 47179->47177 47180->47177 47181->47177 47182->47166 47183->47177 47184->47177 47186 440c5d 47185->47186 47190 440a4d 47186->47190 47189->47177 47191 440a64 47190->47191 47195 440aa5 47191->47195 47196 445354 20 API calls _free 47191->47196 47193 440a9b 47197 43a827 26 API calls _Deallocate 47193->47197 47195->47177 47196->47193 47197->47195 47199 409a63 GetMessageA 47198->47199 47200 4099ff SetWindowsHookExA 47198->47200 47201 409a75 TranslateMessage DispatchMessageA 47199->47201 47213 40999c 47199->47213 47200->47199 47203 409a1b GetLastError 47200->47203 47201->47199 47201->47213 47214 41ad46 47203->47214 47207 409a3e 47208 401f66 28 API calls 47207->47208 47209 409a4d 47208->47209 47210 41a686 79 API calls 47209->47210 47211 409a52 47210->47211 47212 401eea 26 API calls 47211->47212 47212->47213 47215 440c51 26 API calls 47214->47215 47216 41ad67 47215->47216 47217 401f66 28 API calls 47216->47217 47218 409a31 47217->47218 47219 404c9e 28 API calls 47218->47219 47219->47207 47222 402d97 47221->47222 47225 4030f7 47222->47225 47224 402dab 47224->47050 47226 403101 47225->47226 47228 403115 47226->47228 47229 4036c2 28 API calls 47226->47229 47228->47224 47229->47228 47231 403b48 47230->47231 47237 403b7a 47231->47237 47234 403cbb 47241 403dc2 47234->47241 47236 403cc9 47236->46707 47238 403b86 47237->47238 47239 403b9e 28 API calls 47238->47239 47240 403b5a 47239->47240 47240->47234 47242 403dce 47241->47242 47245 402ffd 47242->47245 47244 403de3 47244->47236 47246 40300e 47245->47246 47247 4032a4 28 API calls 47246->47247 47248 40301a 47247->47248 47250 40302e 47248->47250 47251 4035e8 28 API calls 47248->47251 47250->47244 47251->47250 47258 4395ba 47252->47258 47256 412814 47255->47256 47257 4127ed RegSetValueExA RegCloseKey 47255->47257 47256->46730 47257->47256 47261 43953b 47258->47261 47260 401608 47260->46732 47262 43954a 47261->47262 47263 43955e 47261->47263 47269 445354 20 API calls _free 47262->47269 47267 43955a __alldvrm 47263->47267 47271 447601 11 API calls 2 library calls 47263->47271 47265 43954f 47270 43a827 26 API calls _Deallocate 47265->47270 47267->47260 47269->47265 47270->47267 47271->47267 47273 41aab9 ctype ___scrt_fastfail 47272->47273 47274 401f66 28 API calls 47273->47274 47275 41ab2e 47274->47275 47275->46737 47276->46753 47278 413fb3 getaddrinfo WSASetLastError 47277->47278 47279 413fa9 47277->47279 47278->46804 47415 413e37 35 API calls ___std_exception_copy 47279->47415 47281 413fae 47281->47278 47283 404206 socket 47282->47283 47284 4041fd 47282->47284 47286 404220 47283->47286 47287 404224 CreateEventW 47283->47287 47416 404262 WSAStartup 47284->47416 47286->46804 47287->46804 47288 404202 47288->47283 47288->47286 47290 40492a 47289->47290 47291 4049b1 47289->47291 47292 404933 47290->47292 47293 404987 CreateEventA CreateThread 47290->47293 47294 404942 GetLocalTime 47290->47294 47291->46804 47292->47293 47293->47291 47418 404b1d 47293->47418 47295 41ad46 28 API calls 47294->47295 47296 40495b 47295->47296 47417 404c9e 28 API calls 47296->47417 47298 404968 47299 401f66 28 API calls 47298->47299 47300 404977 47299->47300 47301 41a686 79 API calls 47300->47301 47302 40497c 47301->47302 47303 401eea 26 API calls 47302->47303 47303->47293 47305 4043e1 47304->47305 47306 4042b3 47304->47306 47307 4043e7 WSAGetLastError 47305->47307 47358 404343 47305->47358 47308 4042e8 47306->47308 47310 404cbf 28 API calls 47306->47310 47306->47358 47309 4043f7 47307->47309 47307->47358 47422 420151 27 API calls 47308->47422 47311 4042f7 47309->47311 47312 4043fc 47309->47312 47314 4042d4 47310->47314 47317 401f66 28 API calls 47311->47317 47427 41bc76 30 API calls 47312->47427 47318 401f66 28 API calls 47314->47318 47316 4042f0 47316->47311 47320 404306 47316->47320 47321 404448 47317->47321 47322 4042e3 47318->47322 47319 40440b 47428 404c9e 28 API calls 47319->47428 47327 404315 47320->47327 47328 40434c 47320->47328 47324 401f66 28 API calls 47321->47324 47325 41a686 79 API calls 47322->47325 47329 404457 47324->47329 47325->47308 47326 404418 47330 401f66 28 API calls 47326->47330 47331 401f66 28 API calls 47327->47331 47424 420f34 56 API calls 47328->47424 47332 41a686 79 API calls 47329->47332 47334 404427 47330->47334 47335 404324 47331->47335 47332->47358 47337 41a686 79 API calls 47334->47337 47338 401f66 28 API calls 47335->47338 47336 404354 47339 404389 47336->47339 47340 404359 47336->47340 47341 40442c 47337->47341 47342 404333 47338->47342 47426 4202ea 28 API calls 47339->47426 47344 401f66 28 API calls 47340->47344 47345 401eea 26 API calls 47341->47345 47346 41a686 79 API calls 47342->47346 47347 404368 47344->47347 47345->47358 47349 404338 47346->47349 47348 401f66 28 API calls 47347->47348 47352 404377 47348->47352 47423 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47349->47423 47350 404391 47351 4043be CreateEventW CreateEventW 47350->47351 47353 401f66 28 API calls 47350->47353 47351->47358 47354 41a686 79 API calls 47352->47354 47356 4043a7 47353->47356 47357 40437c 47354->47357 47359 401f66 28 API calls 47356->47359 47425 420592 54 API calls 47357->47425 47358->46804 47361 4043b6 47359->47361 47362 41a686 79 API calls 47361->47362 47363 4043bb 47362->47363 47363->47351 47429 41a945 GlobalMemoryStatusEx 47364->47429 47366 41a982 47366->46804 47430 413646 47367->47430 47371 40cc0d 47370->47371 47372 41246e 3 API calls 47371->47372 47374 40cc14 47372->47374 47373 40cc2c 47373->46804 47374->47373 47375 4124b7 3 API calls 47374->47375 47375->47373 47377 401f86 28 API calls 47376->47377 47378 41ae03 47377->47378 47378->46804 47380 41aed5 47379->47380 47381 401f86 28 API calls 47380->47381 47382 41aee7 47381->47382 47382->46804 47383->46821 47385 436050 ___scrt_fastfail 47384->47385 47386 41ac71 GetForegroundWindow GetWindowTextW 47385->47386 47387 403b40 28 API calls 47386->47387 47388 41ac9b 47387->47388 47388->46821 47390 401f66 28 API calls 47389->47390 47391 40e69e 47390->47391 47391->46821 47392->46821 47394 4045ec 47393->47394 47395 43a88c ___crtLCMapStringA 21 API calls 47394->47395 47397 40465b 47394->47397 47398 401f86 28 API calls 47394->47398 47400 401eef 26 API calls 47394->47400 47402 401eea 26 API calls 47394->47402 47471 404688 47394->47471 47482 40455b 59 API calls 47394->47482 47395->47394 47397->47394 47399 404666 47397->47399 47398->47394 47483 4047eb 98 API calls 47399->47483 47400->47394 47402->47394 47403 40466d 47404 401eea 26 API calls 47403->47404 47405 404676 47404->47405 47406 401eea 26 API calls 47405->47406 47407 40467f 47406->47407 47407->46826 47409->46804 47410->46826 47411->46826 47412->46821 47413->46826 47414->46826 47415->47281 47416->47288 47417->47298 47421 404b29 101 API calls 47418->47421 47420 404b26 47421->47420 47422->47316 47423->47358 47424->47336 47425->47349 47426->47350 47427->47319 47428->47326 47429->47366 47433 413619 47430->47433 47434 41362e ___scrt_initialize_default_local_stdio_options 47433->47434 47437 43e2dd 47434->47437 47440 43b030 47437->47440 47441 43b070 47440->47441 47442 43b058 47440->47442 47441->47442 47443 43b078 47441->47443 47464 445354 20 API calls _free 47442->47464 47466 4392de 38 API calls 2 library calls 47443->47466 47446 43b05d 47465 43a827 26 API calls _Deallocate 47446->47465 47447 43b088 47467 43b7b6 20 API calls 2 library calls 47447->47467 47449 43b068 47457 433d2c 47449->47457 47452 43b100 47468 43be24 50 API calls 3 library calls 47452->47468 47453 41363c 47453->46804 47456 43b10b 47469 43b820 20 API calls _free 47456->47469 47458 433d37 IsProcessorFeaturePresent 47457->47458 47459 433d35 47457->47459 47461 4341a4 47458->47461 47459->47453 47470 434168 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47461->47470 47463 434287 47463->47453 47464->47446 47465->47449 47466->47447 47467->47452 47468->47456 47469->47449 47470->47463 47472 4046a3 47471->47472 47473 4047d8 47472->47473 47476 403b60 28 API calls 47472->47476 47477 401eef 26 API calls 47472->47477 47478 401eea 26 API calls 47472->47478 47479 401fbd 28 API calls 47472->47479 47480 401ebd 28 API calls 47472->47480 47474 401eea 26 API calls 47473->47474 47475 4047e1 47474->47475 47475->47397 47476->47472 47477->47472 47478->47472 47479->47472 47481 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 47480->47481 47481->47472 47484 414b9b 47481->47484 47482->47394 47483->47403 47485 401fbd 28 API calls 47484->47485 47486 414bbd SetEvent 47485->47486 47487 414bd2 47486->47487 47488 403b60 28 API calls 47487->47488 47489 414bec 47488->47489 47490 401fbd 28 API calls 47489->47490 47491 414bfc 47490->47491 47492 401fbd 28 API calls 47491->47492 47493 414c0e 47492->47493 47494 41afc3 28 API calls 47493->47494 47495 414c17 47494->47495 47496 4161f2 47495->47496 47498 414de3 47495->47498 47499 414c37 GetTickCount 47495->47499 47497 401d8c 26 API calls 47496->47497 47500 4161fb 47497->47500 47498->47496 47562 414d99 47498->47562 47501 41ad46 28 API calls 47499->47501 47502 401eea 26 API calls 47500->47502 47503 414c4d 47501->47503 47505 416207 47502->47505 47563 41aca0 GetLastInputInfo GetTickCount 47503->47563 47508 401eea 26 API calls 47505->47508 47507 414d7d 47507->47496 47510 416213 47508->47510 47509 414c54 47511 41ad46 28 API calls 47509->47511 47512 414c5f 47511->47512 47513 41ac52 30 API calls 47512->47513 47514 414c6d 47513->47514 47515 41aec8 28 API calls 47514->47515 47516 414c7b 47515->47516 47517 401d64 28 API calls 47516->47517 47518 414c89 47517->47518 47564 4027ec 28 API calls 47518->47564 47520 414c97 47565 40275c 28 API calls 47520->47565 47522 414ca6 47523 4027cb 28 API calls 47522->47523 47524 414cb5 47523->47524 47566 40275c 28 API calls 47524->47566 47526 414cc4 47527 4027cb 28 API calls 47526->47527 47528 414cd0 47527->47528 47567 40275c 28 API calls 47528->47567 47530 414cda 47568 404468 60 API calls ctype 47530->47568 47532 414ce9 47533 401eea 26 API calls 47532->47533 47534 414cf2 47533->47534 47535 401eea 26 API calls 47534->47535 47536 414cfe 47535->47536 47537 401eea 26 API calls 47536->47537 47538 414d0a 47537->47538 47539 401eea 26 API calls 47538->47539 47540 414d16 47539->47540 47541 401eea 26 API calls 47540->47541 47542 414d22 47541->47542 47543 401eea 26 API calls 47542->47543 47544 414d2e 47543->47544 47545 401e13 26 API calls 47544->47545 47546 414d3a 47545->47546 47547 401eea 26 API calls 47546->47547 47548 414d43 47547->47548 47549 401eea 26 API calls 47548->47549 47550 414d4c 47549->47550 47551 401d64 28 API calls 47550->47551 47552 414d57 47551->47552 47553 43a5e7 _strftime 42 API calls 47552->47553 47554 414d64 47553->47554 47555 414d69 47554->47555 47556 414d8f 47554->47556 47558 414d82 47555->47558 47559 414d77 47555->47559 47557 401d64 28 API calls 47556->47557 47557->47562 47561 404915 104 API calls 47558->47561 47569 4049ba 81 API calls 47559->47569 47561->47507 47562->47496 47570 404ab1 83 API calls 47562->47570 47563->47509 47564->47520 47565->47522 47566->47526 47567->47530 47568->47532 47569->47507 47570->47507 47572->46853 47573->46879 47574->46878 47575->46867 47576->46871 47577->46877 47579 40e56a 47578->47579 47580 4124b7 3 API calls 47579->47580 47581 40e60e 47579->47581 47583 40e5fe Sleep 47579->47583 47600 40e59c 47579->47600 47580->47579 47584 4082dc 28 API calls 47581->47584 47582 4082dc 28 API calls 47582->47600 47583->47579 47587 40e619 47584->47587 47586 41ae08 28 API calls 47586->47600 47588 41ae08 28 API calls 47587->47588 47589 40e625 47588->47589 47613 412774 29 API calls 47589->47613 47592 401e13 26 API calls 47592->47600 47593 40e638 47594 401e13 26 API calls 47593->47594 47596 40e644 47594->47596 47595 401f66 28 API calls 47595->47600 47597 401f66 28 API calls 47596->47597 47598 40e655 47597->47598 47601 4126d2 29 API calls 47598->47601 47599 4126d2 29 API calls 47599->47600 47600->47582 47600->47583 47600->47586 47600->47592 47600->47595 47600->47599 47611 40bf04 73 API calls ___scrt_fastfail 47600->47611 47612 412774 29 API calls 47600->47612 47602 40e668 47601->47602 47614 411699 TerminateProcess WaitForSingleObject 47602->47614 47604 40e670 ExitProcess 47615 411637 61 API calls 47606->47615 47612->47600 47613->47593 47614->47604

                                                Executed Functions

                                                Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                                • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressProc$HandleLibraryLoadModule
                                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                • API String ID: 384173800-625181639
                                                • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                                • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                                                Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 100 40e134-40e154 call 401e8f call 412902 call 4112b5 70->100 88 40d9b5-40d9bc 79->88 89 40d9ae-40d9b0 79->89 80->79 99 40d98e-40d9a4 call 401e8f call 412902 80->99 93 40d9c0-40d9cc call 41a463 88->93 94 40d9be 88->94 92 40dc95 89->92 92->49 103 40d9d5-40d9d9 93->103 104 40d9ce-40d9d0 93->104 94->93 99->79 108 40da18-40da2b call 401d64 call 401e8f 103->108 109 40d9db call 40697b 103->109 104->103 127 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 108->127 128 40da2d call 4069ba 108->128 117 40d9e0-40d9e2 109->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->108 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 127->164 128->127 138->108 140 40da0b-40da11 138->140 140->108 142 40da13 call 4064d0 140->142 142->108 165 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->165 166 40db2c-40db33 163->166 164->163 189 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->189 220 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 165->220 169 40dbb1-40dbbb call 4082d7 166->169 170 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 166->170 179 40dbc0-40dbe4 call 4022f8 call 4338c8 169->179 170->179 197 40dbf3 179->197 198 40dbe6-40dbf1 call 436050 179->198 189->163 203 40dbf5-40dc40 call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 197->203 198->203 258 40dc45-40dc6a call 4338d1 call 401d64 call 40b125 203->258 272 40dd79-40dd7b 220->272 273 40dd5e 220->273 258->220 274 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 258->274 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41beb0 CreateThread 273->275 274->220 292 40dc93 274->292 280 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->280 276->280 277->275 330 40dea1 280->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 280->331 292->92 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 342 40def9-40df0c call 401d64 call 401e8f 332->342 343 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 332->343 353 40df6c-40df7f call 401d64 call 401e8f 342->353 354 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 342->354 343->342 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 353->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 353->366 354->353 365->366 386 40dfe0-40dfe1 SetProcessDEPPolicy 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 390 40e004-40e00b 387->390 391 40dff8-40e002 CreateThread 387->391 395 40e019-40e020 390->395 396 40e00d-40e017 CreateThread 390->396 391->390 399 40e022-40e025 395->399 400 40e033-40e038 395->400 396->395 401 40e073-40e08e call 401e8f call 41246e 399->401 402 40e027-40e031 399->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 400->404 413 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->100 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 437 40e0db-40e0e8 Sleep call 401e07 435->437 437->433
                                                APIs
                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                  • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                  • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                  • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe,00000104), ref: 0040D790
                                                  • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                • String ID: 0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe$Exe$Exe$Inj$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$escoclar-5B94K9$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                • API String ID: 2830904901-4282191732
                                                • Opcode ID: d985282723b292a847697baca67a20060ee7dcf01e51df26af1e6cb45a7ba986
                                                • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                                • Opcode Fuzzy Hash: d985282723b292a847697baca67a20060ee7dcf01e51df26af1e6cb45a7ba986
                                                • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                                Function 004099E4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1259 4099e4-4099fd 1260 409a63-409a73 GetMessageA 1259->1260 1261 4099ff-409a19 SetWindowsHookExA 1259->1261 1262 409a75-409a8d TranslateMessage DispatchMessageA 1260->1262 1263 409a8f 1260->1263 1261->1260 1266 409a1b-409a61 GetLastError call 41ad46 call 404c9e call 401f66 call 41a686 call 401eea 1261->1266 1262->1260 1262->1263 1264 409a91-409a96 1263->1264 1266->1264
                                                APIs
                                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                • GetLastError.KERNEL32 ref: 00409A1B
                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                • TranslateMessage.USER32(?), ref: 00409A7A
                                                • DispatchMessageA.USER32(?), ref: 00409A85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                • String ID: Keylogger initialization failure: error $`#v
                                                • API String ID: 3219506041-3226811161
                                                • Opcode ID: b25c238cc25c38f6a39b157eec7e909f885e780430bb9e72e24c2f6a8841eb99
                                                • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                                • Opcode Fuzzy Hash: b25c238cc25c38f6a39b157eec7e909f885e780430bb9e72e24c2f6a8841eb99
                                                • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                                Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                  • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                  • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                • ExitProcess.KERNEL32 ref: 0040E672
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseExitOpenProcessQuerySleepValue
                                                • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                • API String ID: 2281282204-3981147832
                                                • Opcode ID: f180ab47f223277a7e4a5a7b30372dd52af8f2688aadcd4541f101f1d00d282c
                                                • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                • Opcode Fuzzy Hash: f180ab47f223277a7e4a5a7b30372dd52af8f2688aadcd4541f101f1d00d282c
                                                • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                                Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1420 404915-404924 1421 4049b1 1420->1421 1422 40492a-404931 1420->1422 1423 4049b3-4049b7 1421->1423 1424 404933-404937 1422->1424 1425 404939-404940 1422->1425 1426 404987-4049af CreateEventA CreateThread 1424->1426 1425->1426 1427 404942-404982 GetLocalTime call 41ad46 call 404c9e call 401f66 call 41a686 call 401eea 1425->1427 1426->1423 1427->1426
                                                APIs
                                                • GetLocalTime.KERNEL32(00000001,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404946
                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404994
                                                • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                Strings
                                                • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Create$EventLocalThreadTime
                                                • String ID: KeepAlive | Enabled | Timeout:
                                                • API String ID: 2532271599-1507639952
                                                • Opcode ID: 35453c4289c9b9740e7d5fc02d345a9090b78ad88d17a20c74762e0b12e92854
                                                • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                                • Opcode Fuzzy Hash: 35453c4289c9b9740e7d5fc02d345a9090b78ad88d17a20c74762e0b12e92854
                                                • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                                Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                                • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                                • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Crypt$Context$AcquireRandomRelease
                                                • String ID:
                                                • API String ID: 1815803762-0
                                                • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                                • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                                Function 0041A7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7BF
                                                • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Name$ComputerUser
                                                • String ID:
                                                • API String ID: 4229901323-0
                                                • Opcode ID: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                • Opcode Fuzzy Hash: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InfoLocale
                                                • String ID:
                                                • API String ID: 2299586839-0
                                                • Opcode ID: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                                • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                • Opcode Fuzzy Hash: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                                • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: recv
                                                • String ID:
                                                • API String ID: 1507349165-0
                                                • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                Function 00413FD4 Relevance: 53.3, APIs: 5, Strings: 25, Instructions: 813sleepnetworkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 447 413fd4-41401f call 401faa call 41aa73 call 401faa call 401d64 call 401e8f call 43a5e7 460 414021-414028 Sleep 447->460 461 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afc3 call 404262 call 401d64 call 40b125 447->461 460->461 476 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afc3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 461->476 477 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 461->477 530 41419a-4141a1 476->530 531 41418c-414198 476->531 477->476 532 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 530->532 531->532 559 414244-41428a WSAGetLastError call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 532->559 560 41428f-41429d call 4041f1 532->560 583 414b54-414b66 call 4047eb call 4020b4 559->583 565 4142ca-4142df call 404915 call 40428c 560->565 566 41429f-4142c5 call 401f66 * 2 call 41a686 560->566 582 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 4 call 41a96d call 413683 call 4082dc call 440c51 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 565->582 565->583 566->583 647 414434-414441 call 40541d 582->647 648 414446-41446d call 401e8f call 412513 582->648 596 414b68-414b88 call 401d64 call 401e8f call 43a5e7 Sleep 583->596 597 414b8e-414b96 call 401d8c 583->597 596->597 597->476 647->648 654 414474-414830 call 403b40 call 40cbf1 call 41adee call 41aec8 call 41ad46 call 401d64 GetTickCount call 41ad46 call 41aca0 call 41ad46 * 2 call 41ac52 call 41aec8 * 5 call 40e679 call 41aec8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c 648->654 655 41446f-414471 648->655 781 414832 call 404468 654->781 655->654 782 414837-414abb call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 781->782 900 414ac0-414ac7 782->900 901 414ac9-414ad0 900->901 902 414adb-414ae2 900->902 901->902 903 414ad2-414ad4 901->903 904 414ae4-414ae9 call 40a767 902->904 905 414aee-414b20 call 405415 call 401f66 * 2 call 41a686 902->905 903->902 904->905 916 414b22-414b2e CreateThread 905->916 917 414b34-414b4f call 401eea * 2 call 401e13 905->917 916->917 917->583
                                                APIs
                                                • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                                                • WSAGetLastError.WS2_32 ref: 00414249
                                                • Sleep.KERNEL32(00000000,00000002), ref: 00414B88
                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep$ErrorLastLocalTime
                                                • String ID: | $%I64u$5.3.0 Pro$@CG$C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$TLS Off$TLS On $TUF$XCG$XCG$XCG$`=G$dCG$escoclar-5B94K9$hlight$name$>G$>G$BG
                                                • API String ID: 524882891-823071677
                                                • Opcode ID: 7f34964a68ebb1278d86fdf668c67ce0ae309ce2e716e22ab72244e28e7546a4
                                                • Instruction ID: a0bb0b13232d9f5991351636829aab2dda2428bc81dc0b9639db3628de0ead2f
                                                • Opcode Fuzzy Hash: 7f34964a68ebb1278d86fdf668c67ce0ae309ce2e716e22ab72244e28e7546a4
                                                • Instruction Fuzzy Hash: 58524E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D
                                                Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • Sleep.KERNEL32(00001388), ref: 00409E62
                                                  • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                  • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                  • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                  • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                • API String ID: 3795512280-3163867910
                                                • Opcode ID: 478d1cbae2b352f7a85ddd3b94cb29f0f84926477ce6454f32d463d399d219e0
                                                • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                                • Opcode Fuzzy Hash: 478d1cbae2b352f7a85ddd3b94cb29f0f84926477ce6454f32d463d399d219e0
                                                • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                                Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1022 40428c-4042ad connect 1023 4043e1-4043e5 1022->1023 1024 4042b3-4042b6 1022->1024 1027 4043e7-4043f5 WSAGetLastError 1023->1027 1028 40445f 1023->1028 1025 4043da-4043dc 1024->1025 1026 4042bc-4042bf 1024->1026 1029 404461-404465 1025->1029 1030 4042c1-4042e8 call 404cbf call 401f66 call 41a686 1026->1030 1031 4042eb-4042f5 call 420151 1026->1031 1027->1028 1032 4043f7-4043fa 1027->1032 1028->1029 1030->1031 1044 404306-404313 call 420373 1031->1044 1045 4042f7-404301 1031->1045 1034 404439-40443e 1032->1034 1035 4043fc-404437 call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 1032->1035 1037 404443-40445c call 401f66 * 2 call 41a686 1034->1037 1035->1028 1037->1028 1054 404315-404338 call 401f66 * 2 call 41a686 1044->1054 1055 40434c-404357 call 420f34 1044->1055 1045->1037 1084 40433b-404347 call 420191 1054->1084 1068 404389-404396 call 4202ea 1055->1068 1069 404359-404387 call 401f66 * 2 call 41a686 call 420592 1055->1069 1081 404398-4043bb call 401f66 * 2 call 41a686 1068->1081 1082 4043be-4043d7 CreateEventW * 2 1068->1082 1069->1084 1081->1082 1082->1025 1084->1028
                                                APIs
                                                • connect.WS2_32(?,?,?), ref: 004042A5
                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                • API String ID: 994465650-2151626615
                                                • Opcode ID: da33fcb12fc8fa225914991ff724b524bff1c68ebbc9632bded2e3fb966eaf16
                                                • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                • Opcode Fuzzy Hash: da33fcb12fc8fa225914991ff724b524bff1c68ebbc9632bded2e3fb966eaf16
                                                • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                                Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • __Init_thread_footer.LIBCMT ref: 0040A456
                                                • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                • GetForegroundWindow.USER32 ref: 0040A467
                                                • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                  • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                • String ID: [${ User has been idle for $ minutes }$]
                                                • API String ID: 911427763-3954389425
                                                • Opcode ID: 547a7cfd8ecb315c382de053530a614a00025319d5b4f46ac54375dc0518001e
                                                • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                                • Opcode Fuzzy Hash: 547a7cfd8ecb315c382de053530a614a00025319d5b4f46ac54375dc0518001e
                                                • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                                Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1177 40c89e-40c8c3 call 401e52 1180 40c8c9 1177->1180 1181 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 1177->1181 1182 40c8d0-40c8d5 1180->1182 1183 40c9c2-40c9c7 1180->1183 1184 40c905-40c90a 1180->1184 1185 40c9d8 1180->1185 1186 40c9c9-40c9ce call 43ac0f 1180->1186 1187 40c8da-40c8e8 call 41a74b call 401e18 1180->1187 1188 40c8fb-40c900 1180->1188 1189 40c9bb-40c9c0 1180->1189 1190 40c90f-40c916 call 41b15b 1180->1190 1202 40ca18-40ca85 call 403b40 call 40cc37 call 402860 * 2 call 401e13 * 5 1181->1202 1192 40c9dd-40c9e2 call 43ac0f 1182->1192 1183->1192 1184->1192 1185->1192 1199 40c9d3-40c9d6 1186->1199 1211 40c8ed 1187->1211 1188->1192 1189->1192 1203 40c918-40c968 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1190->1203 1204 40c96a-40c9b6 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1190->1204 1205 40c9e3-40c9e8 call 4082d7 1192->1205 1199->1185 1199->1205 1216 40c8f1-40c8f6 call 401e13 1203->1216 1204->1211 1205->1181 1211->1216 1216->1181
                                                APIs
                                                • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LongNamePath
                                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                • API String ID: 82841172-425784914
                                                • Opcode ID: f411b4bda197469a8f5fa6f0702ce682b0f23decd79daaf3752e96957329e7a7
                                                • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                                • Opcode Fuzzy Hash: f411b4bda197469a8f5fa6f0702ce682b0f23decd79daaf3752e96957329e7a7
                                                • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                                                Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1324 41a51b-41a55a call 401faa call 43a88c InternetOpenW InternetOpenUrlW 1329 41a55c-41a57d InternetReadFile 1324->1329 1330 41a5a3-41a5a6 1329->1330 1331 41a57f-41a59f call 401f86 call 402f08 call 401eea 1329->1331 1333 41a5a8-41a5aa 1330->1333 1334 41a5ac-41a5b9 InternetCloseHandle * 2 call 43a887 1330->1334 1331->1330 1333->1329 1333->1334 1337 41a5be-41a5c8 1334->1337
                                                APIs
                                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                Strings
                                                • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Internet$CloseHandleOpen$FileRead
                                                • String ID: http://geoplugin.net/json.gp
                                                • API String ID: 3121278467-91888290
                                                • Opcode ID: a574e59ae2a6d8659b3b708bfc28c48046a6cfc8e174729ee45d25f2e2c52857
                                                • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                • Opcode Fuzzy Hash: a574e59ae2a6d8659b3b708bfc28c48046a6cfc8e174729ee45d25f2e2c52857
                                                • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                                Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                  • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                  • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                  • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                  • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                • API String ID: 782494840-2070987746
                                                • Opcode ID: 2b18f229538df81ea9d982a80dc21e3ef646ce9f87e0def4b65cb5a9171dabf9
                                                • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                • Opcode Fuzzy Hash: 2b18f229538df81ea9d982a80dc21e3ef646ce9f87e0def4b65cb5a9171dabf9
                                                • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                                Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1366 409d97-409da7 1367 409e44-409e47 1366->1367 1368 409dad-409daf 1366->1368 1369 409db2-409dd8 call 401e07 CreateFileW 1368->1369 1372 409e18 1369->1372 1373 409dda-409de8 GetFileSize 1369->1373 1374 409e1b-409e1f 1372->1374 1375 409dea 1373->1375 1376 409e0f-409e16 CloseHandle 1373->1376 1374->1369 1377 409e21-409e24 1374->1377 1378 409df4-409dfb 1375->1378 1379 409dec-409df2 1375->1379 1376->1374 1377->1367 1380 409e26-409e2d 1377->1380 1381 409e04-409e09 Sleep 1378->1381 1382 409dfd-409dff call 40a7f0 1378->1382 1379->1376 1379->1378 1380->1367 1384 409e2f-409e3f call 4082dc call 4098a5 1380->1384 1381->1376 1382->1381 1384->1367
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseCreateHandleSizeSleep
                                                • String ID: `AG
                                                • API String ID: 1958988193-3058481221
                                                • Opcode ID: b0d5ab9d96485228d01e653f577d9a536d0e325b1c446dee4fcf46d6e6ae2c45
                                                • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                • Opcode Fuzzy Hash: b0d5ab9d96485228d01e653f577d9a536d0e325b1c446dee4fcf46d6e6ae2c45
                                                • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1388 4126d2-4126e9 RegCreateKeyA 1389 412722 1388->1389 1390 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1388->1390 1392 412724-412730 call 401eea 1389->1392 1390->1392
                                                APIs
                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                • RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                • RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateValue
                                                • String ID: HgF$pth_unenc
                                                • API String ID: 1818849710-3662775637
                                                • Opcode ID: 1bd7bc63bfcb718f8a00b857ba0206b1347799401e36ec3cc1597cb67c32c774
                                                • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                • Opcode Fuzzy Hash: 1bd7bc63bfcb718f8a00b857ba0206b1347799401e36ec3cc1597cb67c32c774
                                                • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                                • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                                • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 00409946
                                                  • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                  • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread$LocalTimewsprintf
                                                • String ID: Offline Keylogger Started
                                                • API String ID: 465354869-4114347211
                                                • Opcode ID: 12a7e14b742792f2f7edc51aeeb20cb2f460560c35512bbf3bc1a56244271605
                                                • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                                • Opcode Fuzzy Hash: 12a7e14b742792f2f7edc51aeeb20cb2f460560c35512bbf3bc1a56244271605
                                                • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                                Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                • RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                • RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateValue
                                                • String ID: TUF
                                                • API String ID: 1818849710-3431404234
                                                • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                • String ID:
                                                • API String ID: 3360349984-0
                                                • Opcode ID: 72b013782cf94b1f3d34b8331976b904c6ebf93714f67b57431e08570f282644
                                                • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                • Opcode Fuzzy Hash: 72b013782cf94b1f3d34b8331976b904c6ebf93714f67b57431e08570f282644
                                                • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
                                                • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
                                                • CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseCreateHandlePointerWrite
                                                • String ID:
                                                • API String ID: 3604237281-0
                                                • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                                • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                                Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CountEventTick
                                                • String ID: >G
                                                • API String ID: 180926312-1296849874
                                                • Opcode ID: b5cb131a7c2f10a7017f8f9fce08a13b2cdf8cae7dc8eae255365ddec9097b64
                                                • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                                • Opcode Fuzzy Hash: b5cb131a7c2f10a7017f8f9fce08a13b2cdf8cae7dc8eae255365ddec9097b64
                                                • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                                Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                • GetLastError.KERNEL32 ref: 0040BEF1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateErrorLastMutex
                                                • String ID: escoclar-5B94K9
                                                • API String ID: 1925916568-1144790527
                                                • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                • RegCloseKey.KERNEL32(?), ref: 0041255F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID:
                                                • API String ID: 3677997916-0
                                                • Opcode ID: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                                • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                • Opcode Fuzzy Hash: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                                • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                Function 0041265D Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                • RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID:
                                                • API String ID: 3677997916-0
                                                • Opcode ID: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                • Instruction ID: c18416eb0b1572374c3e2b3be0649ca89fc6f9e16ed4320a44d925c8ae57db2a
                                                • Opcode Fuzzy Hash: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                • Instruction Fuzzy Hash: BD018131404229FBDF216FA1DC45DDF7F78EF11754F004065BA04A21A1D7758AB5DBA8
                                                Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                • RegCloseKey.KERNEL32(?), ref: 00412500
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID:
                                                • API String ID: 3677997916-0
                                                • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                                • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                                • RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID:
                                                • API String ID: 3677997916-0
                                                • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                                • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                                Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _wcslen
                                                • String ID: xAG
                                                • API String ID: 176396367-2759412365
                                                • Opcode ID: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                                • Instruction ID: 4b5f0267b16b6d1f94f05398eea60063c36f9fdec9e789d07f1c8464d26cb595
                                                • Opcode Fuzzy Hash: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                                • Instruction Fuzzy Hash: 751193325002049FCB15FF66D8968EF7BA4EF64314B10453FF842622E2EF38A955CB98
                                                Function 0041A945 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A959
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID: @
                                                • API String ID: 1890195054-2766056989
                                                • Opcode ID: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                • Instruction ID: dd145fffdacd7bda74fa2c6e5abe56fe406d4b7e613986be5c07feff288e4f4e
                                                • Opcode Fuzzy Hash: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                • Instruction Fuzzy Hash: EFD067B99013189FCB20DFA8E945A8DBBF8FB48214F004529E946E3344E774E945CB95
                                                Function 0044B9BE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 0044B9DF
                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                • RtlReAllocateHeap.NTDLL(00000000,00475D30,?,00000004,00000000,?,0044E90A,00475D30,00000004,?,00475D30,?,?,00443125,00475D30,?), ref: 0044BA1B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap$_free
                                                • String ID:
                                                • API String ID: 1482568997-0
                                                • Opcode ID: 5cfe77718a578226d9c79b09a3ca5d66c4b9dac56741ea3d957ce73d3817e4be
                                                • Instruction ID: 12956794463f81a5c067cbc08b9f94d22fea268b9007f3edb04f63306941b305
                                                • Opcode Fuzzy Hash: 5cfe77718a578226d9c79b09a3ca5d66c4b9dac56741ea3d957ce73d3817e4be
                                                • Instruction Fuzzy Hash: D6F0F67210051167FF212A27AC01B6B2B2CDFC27B1F15012BFA18AA292DF6CCC0191EE
                                                Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                  • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateEventStartupsocket
                                                • String ID:
                                                • API String ID: 1953588214-0
                                                • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                                • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                                Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                                  • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,00434411,?,?,?,?,?,?,?,?,00434411,?,0046D644,0041AD75,?), ref: 00437C37
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Exception@8Throw$ExceptionRaise
                                                • String ID:
                                                • API String ID: 3476068407-0
                                                • Opcode ID: a80fbdf5468804761b56489a3a39c56644ed3c61f36a154b7cd34dcf14c41ed8
                                                • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                                • Opcode Fuzzy Hash: a80fbdf5468804761b56489a3a39c56644ed3c61f36a154b7cd34dcf14c41ed8
                                                • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                                Function 0041AC52 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32 ref: 0041AC74
                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AC87
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Window$ForegroundText
                                                • String ID:
                                                • API String ID: 29597999-0
                                                • Opcode ID: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                • Instruction ID: 3cf16c2a8257e52241c70e3f2477159e0ff99a2dafdd86ddfb3cfc0a4d760bbd
                                                • Opcode Fuzzy Hash: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                • Instruction Fuzzy Hash: 56E04875A0031467EB24A765AC4EFDA766C9704715F0000B9BA19D21C3E9B4EA04CBE4
                                                Function 00413F9A Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • getaddrinfo.WS2_32(00000000,00000000,00000000,00471B28,00474358,00000000,00414240,00000000,00000001), ref: 00413FBC
                                                • WSASetLastError.WS2_32(00000000), ref: 00413FC1
                                                  • Part of subcall function 00413E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                  • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                  • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                  • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                  • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                  • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                  • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                  • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                • String ID:
                                                • API String ID: 1170566393-0
                                                • Opcode ID: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                • Instruction ID: 9c65b6197a0e8ce5e429e224625e4c370c9a1848c9e97f9a588a6d75e163472b
                                                • Opcode Fuzzy Hash: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                • Instruction Fuzzy Hash: 4ED05B326406216FB310575D6D01FFBB5DCDFA67617150077F408D7110D6945D82C3AD
                                                Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                                • Opcode Fuzzy Hash: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF
                                                Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Startup
                                                • String ID:
                                                • API String ID: 724789610-0
                                                • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                                • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                                Function 0042610E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: send
                                                • String ID:
                                                • API String ID: 2809346765-0
                                                • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                                • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36

                                                Non-executed Functions

                                                Function 00406F06 Relevance: 48.1, APIs: 10, Strings: 17, Instructions: 849filesleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                  • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                  • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                  • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                  • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                  • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                  • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                                  • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                  • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                  • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                  • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                  • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000330,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                  • Part of subcall function 00404468: SetEvent.KERNEL32(00000330,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                  • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                  • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                  • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                • Sleep.KERNEL32(000007D0), ref: 00407976
                                                • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                  • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$TTF$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                • API String ID: 2918587301-184849705
                                                • Opcode ID: cee1eaa003f0d99ec37409f83af903312ac75341018c76db6d10723a028a15f1
                                                • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                                • Opcode Fuzzy Hash: cee1eaa003f0d99ec37409f83af903312ac75341018c76db6d10723a028a15f1
                                                • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                                Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __Init_thread_footer.LIBCMT ref: 0040508E
                                                  • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                  • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                  • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                                • __Init_thread_footer.LIBCMT ref: 004050CB
                                                • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                                • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                                  • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                  • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                  • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                • CloseHandle.KERNEL32 ref: 004053CD
                                                • CloseHandle.KERNEL32 ref: 004053D5
                                                • CloseHandle.KERNEL32 ref: 004053E7
                                                • CloseHandle.KERNEL32 ref: 004053EF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                                • API String ID: 3815868655-81343324
                                                • Opcode ID: 3962288f67b6343dc351fcf9cfefafb790a27fc5d456e23b5c61f5133e29afc6
                                                • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                                • Opcode Fuzzy Hash: 3962288f67b6343dc351fcf9cfefafb790a27fc5d456e23b5c61f5133e29afc6
                                                • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                                Function 00410F36 Relevance: 35.2, APIs: 7, Strings: 13, Instructions: 238threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                  • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                  • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                  • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                  • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                  • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                  • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                • String ID: 0DG$Remcos restarted by watchdog!$TTF$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                • API String ID: 65172268-329858390
                                                • Opcode ID: 51674d9ef77ab3affcb4b811ad4559765d13db7ea621b316b6720b079fd226d4
                                                • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                                • Opcode Fuzzy Hash: 51674d9ef77ab3affcb4b811ad4559765d13db7ea621b316b6720b079fd226d4
                                                • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                                Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                • FindClose.KERNEL32(00000000), ref: 0040B517
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$CloseFile$FirstNext
                                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                • API String ID: 1164774033-3681987949
                                                • Opcode ID: 8a573f4cde42bb8974b55a1bb9849f05b01946ec243df485f40a07b19650f4e4
                                                • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                                • Opcode Fuzzy Hash: 8a573f4cde42bb8974b55a1bb9849f05b01946ec243df485f40a07b19650f4e4
                                                • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$Close$File$FirstNext
                                                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                • API String ID: 3527384056-432212279
                                                • Opcode ID: e3298efea2014f122d9e4da4ca7a52805c3aaa742dc7125d16785d6f153ddc68
                                                • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                                • Opcode Fuzzy Hash: e3298efea2014f122d9e4da4ca7a52805c3aaa742dc7125d16785d6f153ddc68
                                                • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                                Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                  • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                  • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                  • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                • API String ID: 726551946-3025026198
                                                • Opcode ID: c6b8a8b98bbd4d63e6190979d81124dee66bc740cd9cc34f4ffc17523aed10bc
                                                • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                                • Opcode Fuzzy Hash: c6b8a8b98bbd4d63e6190979d81124dee66bc740cd9cc34f4ffc17523aed10bc
                                                • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                                Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenClipboard.USER32 ref: 004159C7
                                                • EmptyClipboard.USER32 ref: 004159D5
                                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                • CloseClipboard.USER32 ref: 00415A5A
                                                • OpenClipboard.USER32 ref: 00415A61
                                                • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                • CloseClipboard.USER32 ref: 00415A89
                                                  • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                • String ID:
                                                • API String ID: 3520204547-0
                                                • Opcode ID: aec1d1bf9f744aaed2c9463717a263a6e62bb038cffa3167de4c184d82277f83
                                                • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                                • Opcode Fuzzy Hash: aec1d1bf9f744aaed2c9463717a263a6e62bb038cffa3167de4c184d82277f83
                                                • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 0$1$2$3$4$5$6$7
                                                • API String ID: 0-3177665633
                                                • Opcode ID: f8af07fa47c58c456c71caf90e41cb852091bf7478b48f1c56509a0c55dbd029
                                                • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                                • Opcode Fuzzy Hash: f8af07fa47c58c456c71caf90e41cb852091bf7478b48f1c56509a0c55dbd029
                                                • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                                Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                • GetKeyState.USER32(00000010), ref: 00409B5C
                                                • GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                • ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                • ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                • String ID: 8[G
                                                • API String ID: 1888522110-1691237782
                                                • Opcode ID: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
                                                • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                                • Opcode Fuzzy Hash: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
                                                • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                                Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcslen.LIBCMT ref: 00406788
                                                • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Object_wcslen
                                                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                • API String ID: 240030777-3166923314
                                                • Opcode ID: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                                • Opcode Fuzzy Hash: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                                Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                                • GetLastError.KERNEL32 ref: 00419935
                                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                • String ID:
                                                • API String ID: 3587775597-0
                                                • Opcode ID: 3890bdb0540eb0e670ed260973a12fdff1d758257f1b422d234bde2ff04c0bf6
                                                • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                                • Opcode Fuzzy Hash: 3890bdb0540eb0e670ed260973a12fdff1d758257f1b422d234bde2ff04c0bf6
                                                • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                                Function 004513B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                                                • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                                • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                                • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                                • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                • String ID: <D$<D$<D
                                                • API String ID: 745075371-3495170934
                                                • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                                • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                                Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B529
                                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B536
                                                  • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B570
                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B583
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                • String ID:
                                                • API String ID: 2341273852-0
                                                • Opcode ID: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                                • Opcode Fuzzy Hash: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                                Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Find$CreateFirstNext
                                                • String ID: @CG$XCG$`HG$`HG$>G
                                                • API String ID: 341183262-3780268858
                                                • Opcode ID: 3672b0363ed14ebe701ddf7546ad45a39a3ac0bcdf08e5ef5de986ef51b215bd
                                                • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                                • Opcode Fuzzy Hash: 3672b0363ed14ebe701ddf7546ad45a39a3ac0bcdf08e5ef5de986ef51b215bd
                                                • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                                Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                  • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                                • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressCloseCreateLibraryLoadProcsend
                                                • String ID: SHDeleteKeyW$Shlwapi.dll
                                                • API String ID: 2127411465-314212984
                                                • Opcode ID: 6d16fc55eb7e1bc2564d5e2bd962dd6c4c24ad70318e51b5b1cf054eeb9cb00d
                                                • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                                • Opcode Fuzzy Hash: 6d16fc55eb7e1bc2564d5e2bd962dd6c4c24ad70318e51b5b1cf054eeb9cb00d
                                                • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                • GetLastError.KERNEL32 ref: 0040B261
                                                Strings
                                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                • UserProfile, xrefs: 0040B227
                                                • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DeleteErrorFileLast
                                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                • API String ID: 2018770650-1062637481
                                                • Opcode ID: 4cd32df34f682fcf287b1bbdb8b1e04e90f5886a02fc20745afa94da3ae3815b
                                                • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                                • Opcode Fuzzy Hash: 4cd32df34f682fcf287b1bbdb8b1e04e90f5886a02fc20745afa94da3ae3815b
                                                • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                                Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                • GetLastError.KERNEL32 ref: 00416B02
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                • String ID: SeShutdownPrivilege
                                                • API String ID: 3534403312-3733053543
                                                • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                Function 00452F00 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __floor_pentium4
                                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                • API String ID: 4168288129-2761157908
                                                • Opcode ID: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                                • Instruction ID: 57cc16b57fb9b80973019f24a4c29afa226e887048a240d5689d112d8919aadd
                                                • Opcode Fuzzy Hash: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                                • Instruction Fuzzy Hash: 08C26F72D046288FDB25CE28DD407EAB7B5EB44346F1441EBD84DE7242E778AE898F44
                                                Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 004089AE
                                                  • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                  • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                  • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000330,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                  • Part of subcall function 00404468: SetEvent.KERNEL32(00000330,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                  • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                  • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                  • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                  • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                • String ID:
                                                • API String ID: 4043647387-0
                                                • Opcode ID: f69b92a23d02f21f0d56daa60a68a1cd7ec2c2bd959d7a231ee33c7a1f80003d
                                                • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                                • Opcode Fuzzy Hash: f69b92a23d02f21f0d56daa60a68a1cd7ec2c2bd959d7a231ee33c7a1f80003d
                                                • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                                Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ManagerStart
                                                • String ID:
                                                • API String ID: 276877138-0
                                                • Opcode ID: 6d0f589b7f4ed5c193fffaa70fef351a53496163331b96a9b3d3840ad54bf661
                                                • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                                • Opcode Fuzzy Hash: 6d0f589b7f4ed5c193fffaa70fef351a53496163331b96a9b3d3840ad54bf661
                                                • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                                Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                  • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                  • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                  • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                  • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                • String ID: PowrProf.dll$SetSuspendState
                                                • API String ID: 1589313981-1420736420
                                                • Opcode ID: 24b9d5b97b4806bc27070f5e9ed0cfc4c326b2396989710b1809eee22d884dc4
                                                • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                                • Opcode Fuzzy Hash: 24b9d5b97b4806bc27070f5e9ed0cfc4c326b2396989710b1809eee22d884dc4
                                                • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                                Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                                                • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                                                • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InfoLocale
                                                • String ID: ACP$OCP
                                                • API String ID: 2299586839-711371036
                                                • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                                • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                                Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                Download Yara Rule
                                                APIs
                                                • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                                • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                                • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                                • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Resource$FindLoadLockSizeof
                                                • String ID: SETTINGS
                                                • API String ID: 3473537107-594951305
                                                • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                                • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                                Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 00407A91
                                                • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Find$File$CloseFirstH_prologNext
                                                • String ID:
                                                • API String ID: 1157919129-0
                                                • Opcode ID: f8d6f61274b0bae339bae7b451de80ad719001fbde1d2d56a94fc198990b07ef
                                                • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                                • Opcode Fuzzy Hash: f8d6f61274b0bae339bae7b451de80ad719001fbde1d2d56a94fc198990b07ef
                                                • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                                Function 0044800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                • _free.LIBCMT ref: 00448067
                                                  • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                • _free.LIBCMT ref: 00448233
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                • String ID:
                                                • API String ID: 1286116820-0
                                                • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                                                • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                                                Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                Strings
                                                • C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, xrefs: 0040627F, 004063A7
                                                • open, xrefs: 0040622E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DownloadExecuteFileShell
                                                • String ID: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe$open
                                                • API String ID: 2825088817-420285431
                                                • Opcode ID: f0610ef7ed063fd3f7ff7fa235423d12320f7f493cbf0b1c362c018c3e943f78
                                                • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                                • Opcode Fuzzy Hash: f0610ef7ed063fd3f7ff7fa235423d12320f7f493cbf0b1c362c018c3e943f78
                                                • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                                Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                  • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileFind$FirstNextsend
                                                • String ID: x@G$x@G
                                                • API String ID: 4113138495-3390264752
                                                • Opcode ID: b36d87b323ec5cc269eb522c3cc31d9de89321549abc1b076fcc759a7cbe0d3a
                                                • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                                • Opcode Fuzzy Hash: b36d87b323ec5cc269eb522c3cc31d9de89321549abc1b076fcc759a7cbe0d3a
                                                • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                Download Yara Rule
                                                APIs
                                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                  • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                  • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                  • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateInfoParametersSystemValue
                                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                • API String ID: 4127273184-3576401099
                                                • Opcode ID: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                                • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                                • Opcode Fuzzy Hash: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                                • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                                Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                                                • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                                • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                • String ID:
                                                • API String ID: 4212172061-0
                                                • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                                • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                                Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 00408DAC
                                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileFind$FirstH_prologNext
                                                • String ID:
                                                • API String ID: 301083792-0
                                                • Opcode ID: 0e4e9ac495abe8b57423f5ed93f9f96552df352c1a46bf6d3c996a5919a60c28
                                                • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                                • Opcode Fuzzy Hash: 0e4e9ac495abe8b57423f5ed93f9f96552df352c1a46bf6d3c996a5919a60c28
                                                • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                                Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorInfoLastLocale$_free$_abort
                                                • String ID:
                                                • API String ID: 2829624132-0
                                                • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                                • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                                Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 0043A755
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 0043A75F
                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 0043A76C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                • String ID:
                                                • API String ID: 3906539128-0
                                                • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                                • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                                Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 00442575
                                                • TerminateProcess.KERNEL32(00000000,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 0044257C
                                                • ExitProcess.KERNEL32 ref: 0044258E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CurrentExitTerminate
                                                • String ID:
                                                • API String ID: 1703294689-0
                                                • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                                • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                                Function 0041ACC1 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150C3,00000000), ref: 0041ACCC
                                                • NtSuspendProcess.NTDLL(00000000), ref: 0041ACD9
                                                • CloseHandle.KERNEL32(00000000,?,?,004150C3,00000000), ref: 0041ACE2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseHandleOpenSuspend
                                                • String ID:
                                                • API String ID: 1999457699-0
                                                • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                • Instruction ID: f0940f0a464cb9da12e036c8bcda16370f3965740af83b573a45ae51f9acba0f
                                                • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                • Instruction Fuzzy Hash: E7D0A733605131638221176A7C0CC87EE6CDFC1EB37024136F404C3220DA30C84186F4
                                                Function 0041ACED Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150E8,00000000), ref: 0041ACF8
                                                • NtResumeProcess.NTDLL(00000000), ref: 0041AD05
                                                • CloseHandle.KERNEL32(00000000,?,?,004150E8,00000000), ref: 0041AD0E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseHandleOpenResume
                                                • String ID:
                                                • API String ID: 3614150671-0
                                                • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                • Instruction ID: b64f47c6af987b25b68fadd97e6a7e629856a7b738c344dffca8a71896aa998e
                                                • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                • Instruction Fuzzy Hash: DFD0A733504132638220176A7C0CC87EDADDFC5EB37024236F404C3621DA34C841C6F4
                                                Function 0044D5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: .
                                                • API String ID: 0-248832578
                                                • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                                                • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                                                Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                • String ID: <D
                                                • API String ID: 1084509184-3866323178
                                                • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                                • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                                • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                                Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                • String ID: <D
                                                • API String ID: 1084509184-3866323178
                                                • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                                • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                                • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                                Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InfoLocale
                                                • String ID: GetLocaleInfoEx
                                                • API String ID: 2299586839-2904428671
                                                • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                                • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                                Function 00440E20 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                • Instruction ID: cffdc6bb8eb20f5336ace8b102e865ec7dcfb2cf624fb46ac032ba80a60d6a90
                                                • Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                • Instruction Fuzzy Hash: 8A024C71E002199BEF14CFA9C9806AEBBF1FF88314F25826AD919E7350D735AD45CB84
                                                Function 004520D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004520CD,?,?,00000008,?,?,00455412,00000000), ref: 004522FF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExceptionRaise
                                                • String ID:
                                                • API String ID: 3997070919-0
                                                • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                • Instruction ID: 47108b7899804ebb5d40a9255b8f0d240b678f8396b787326aeb691ef157153f
                                                • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                • Instruction Fuzzy Hash: C0B18F351106089FD715CF28C586B567BE0FF06325F29869AEC99CF3A2C379E986CB44
                                                Function 00432A49 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 0
                                                • API String ID: 0-4108050209
                                                • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                • Instruction ID: f72c02501a8b687524d4eed2bba9748ce27a8789a4669d3223b659a6f876a8a8
                                                • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                • Instruction Fuzzy Hash: 8002B3727083004BD714DF39D95272EF3E2AFCC758F15492EF499AB391DA78A8058A4A
                                                Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$_free$InfoLocale_abort
                                                • String ID:
                                                • API String ID: 1663032902-0
                                                • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                                • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                                Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$InfoLocale_abort_free
                                                • String ID:
                                                • API String ID: 2692324296-0
                                                • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                                • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                                Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(-00471558,?,0044225B,00000000,0046DAC0,0000000C,00442216,0000000A,?,?,00448739,0000000A,?,00446F74,00000001,00000364), ref: 00444ADB
                                                • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                                • String ID:
                                                • API String ID: 1272433827-0
                                                • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                                • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                                Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                • String ID:
                                                • API String ID: 1084509184-0
                                                • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                                • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                                Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                                • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                • Instruction Fuzzy Hash:
                                                Function 0043CE3B Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: BG3i@
                                                • API String ID: 0-2407888476
                                                • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                • Instruction ID: a817909710d0090f483bb13cdd1d1ee80d6dfae79024daed79820ace932836b2
                                                • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                • Instruction Fuzzy Hash: E361777160070966DA385A2858D6BBF6396EB0DB04F10391BE943FF3C1D61DAD43874E
                                                Function 0043CC0C Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 0
                                                • API String ID: 0-4108050209
                                                • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                • Instruction ID: e47b97b21f836cd03f295ee90de6feb37cae4df0254a032430ab3cefd666e269
                                                • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                • Instruction Fuzzy Hash: C851AC3160070457DF388A6985DA7BF6B959B0E700F18352FE48AFB382C60DED02979E
                                                Function 00426E73 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                • Instruction ID: 4dd25ef8aece06dcbd44762d080e1d81d96ea4c89eb3931c7e752ffea448aa68
                                                • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                • Instruction Fuzzy Hash: 99417576A083158FC314CE29D18021BFBE1FBC8300F568A2EF99693350D679E980CB86
                                                Function 00437150 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: >G
                                                • API String ID: 0-1296849874
                                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                • Instruction ID: d77b428d8deff70f46db9a150fef47e19855adfe796a652afc1ecdf390514463
                                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                • Instruction Fuzzy Hash: D1110BF724C18143EE74862DD8B46B7A795EACE320F2C636BD0C14B758D52A99459908
                                                Function 0044E92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: HeapProcess
                                                • String ID:
                                                • API String ID: 54951025-0
                                                • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                                • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                                Function 0044C739 Relevance: .6, Instructions: 637COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                • Instruction ID: 1fbb2d6a6e610910e1865e113166bba559d0ad1400e2c5ed2b94208389d41108
                                                • Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                • Instruction Fuzzy Hash: 4E323621D2AF014DE7639634C862336A649AFB73C5F19D737F81AB5AA6EB2CC4C34105
                                                Function 0041E5DF Relevance: .6, Instructions: 606COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                                • Instruction ID: 2a34495ee4f42e5442afe8381c33b9994a027dd0bc8bc0cc3fe6fc4803c66e78
                                                • Opcode Fuzzy Hash: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                                • Instruction Fuzzy Hash: 9732C1796087469BD714DF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A
                                                Function 004267CB Relevance: .4, Instructions: 437COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                • Instruction ID: 022d1978040d43b7ea9bbfc0a41ffb8b00617051ae00cac38c3f572af68edcce
                                                • Opcode Fuzzy Hash: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                • Instruction Fuzzy Hash: 0D028F717046518FD318CF2EE880536B7E1AF8E301B46863EE585C7395EB74E922CB95
                                                Function 00426254 Relevance: .4, Instructions: 377COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                                • Instruction ID: dd4ce2a6fae4266494c2f053a510589cf36d02151b1693af83bcfdcd1697f2cb
                                                • Opcode Fuzzy Hash: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                                • Instruction Fuzzy Hash: 55F13B716142548FC314DF1DE89187BB3E0EB8A301B460A2EF5C2D7392DB78E91ADB56
                                                Function 00431377 Relevance: .4, Instructions: 371COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                                • Instruction ID: a134442df30985c3d9ded0ed06b90328dea8838589cb671b1bd0994677c35241
                                                • Opcode Fuzzy Hash: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                                • Instruction Fuzzy Hash: 60D1A171A083158BC721DE29C88096FB7E4FFD8354F446A2EF88597361EB38DD058B86
                                                Function 0041D071 Relevance: .3, Instructions: 276COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                • Instruction ID: 86422b113df266cbb8d28aa4d41e6099a1760efb4c6ea83322c03ecd969c618c
                                                • Opcode Fuzzy Hash: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                • Instruction Fuzzy Hash: 46B1817951429A8ACB05EF28C4913F63BA1EF6A300F4851B9EC9CCF757D3399506EB24
                                                Function 0043D098 Relevance: .2, Instructions: 237COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                • Instruction ID: 3f92c48b0efc6548e9d2ace3e3fdbc0fca8b075b553eb95927f683fa27391a83
                                                • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                • Instruction Fuzzy Hash: A4613471E0070867DE385928B896BBF23A8AB0D708F24755BE942DB381D65DDD43C24E
                                                Function 0043C9DD Relevance: .2, Instructions: 214COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                • Instruction ID: 61f6cd4e2a94a36a6652522188f48ed2bcd63c305fdb574287b7df62abf21a4e
                                                • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                • Instruction Fuzzy Hash: BB51677170460D9BDB34E96894E77BFA3899B0E344F18350BD882B7382D60CED02939E
                                                Function 00426FAD Relevance: .2, Instructions: 186COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                • Instruction ID: 42e819d74c2f676ea4fb49a2469d6a41ac5eaf2d1859dcf64078451750f97267
                                                • Opcode Fuzzy Hash: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                • Instruction Fuzzy Hash: 49614E32A083119FC308DF35E581A5BB7E5FFDC718F550E1EF48996151E674EA088B8A
                                                Function 00417F9F Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                                • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                                  • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                                • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                                • DeleteDC.GDI32(?), ref: 0041805D
                                                • DeleteDC.GDI32(00000000), ref: 00418060
                                                • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                                • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                                • GetCursorInfo.USER32(?), ref: 004180B5
                                                • GetIconInfo.USER32(?,?), ref: 004180CB
                                                • DeleteObject.GDI32(?), ref: 004180FA
                                                • DeleteObject.GDI32(?), ref: 00418107
                                                • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                                • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                                • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                                • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                                • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                                • DeleteDC.GDI32(?), ref: 0041827F
                                                • DeleteDC.GDI32(00000000), ref: 00418282
                                                • DeleteObject.GDI32(00000000), ref: 00418285
                                                • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                                • DeleteObject.GDI32(00000000), ref: 00418344
                                                • GlobalFree.KERNEL32(?), ref: 0041834B
                                                • DeleteDC.GDI32(?), ref: 0041835B
                                                • DeleteDC.GDI32(00000000), ref: 00418366
                                                • DeleteDC.GDI32(?), ref: 00418398
                                                • DeleteDC.GDI32(00000000), ref: 0041839B
                                                • DeleteObject.GDI32(?), ref: 004183A1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                                • String ID: DISPLAY
                                                • API String ID: 1352755160-865373369
                                                • Opcode ID: 1713e221986eac5e09055e201b2983f957a8c2628f8d93144efb6ff1e3dc8593
                                                • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                                • Opcode Fuzzy Hash: 1713e221986eac5e09055e201b2983f957a8c2628f8d93144efb6ff1e3dc8593
                                                • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                                Function 00417245 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 290libraryloaderthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                • ResumeThread.KERNEL32(?), ref: 00417582
                                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                • GetLastError.KERNEL32 ref: 004175C7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
                                                • API String ID: 4188446516-108836778
                                                • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                                • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                                Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                • ExitProcess.KERNEL32 ref: 0041151D
                                                  • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                  • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                  • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                  • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                  • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                  • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                  • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
                                                  • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
                                                  • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C
                                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                  • Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                • API String ID: 4250697656-2665858469
                                                • Opcode ID: a9c2a87f9ee9c69a41b24408484deaf51afa781d98e0db61e01abaa28f191d2a
                                                • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                                • Opcode Fuzzy Hash: a9c2a87f9ee9c69a41b24408484deaf51afa781d98e0db61e01abaa28f191d2a
                                                • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                  • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                  • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                  • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                  • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                  • Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                                • ExitProcess.KERNEL32 ref: 0040C63E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                • API String ID: 1861856835-3168347843
                                                • Opcode ID: 0084137e0cf4c87855722601cfbf1a3198e8c736f4845412eba00602d73caec5
                                                • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                                                • Opcode Fuzzy Hash: 0084137e0cf4c87855722601cfbf1a3198e8c736f4845412eba00602d73caec5
                                                • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                                                Function 0041A1BB Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 180synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                                • SetEvent.KERNEL32 ref: 0041A38A
                                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                                • CloseHandle.KERNEL32 ref: 0041A3AB
                                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                • String ID: alias audio$" type $TUF$close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                • API String ID: 738084811-2745919808
                                                • Opcode ID: bedb79d6b777c24a058fb07aaadb0652bc7d041f343cfefae731751c07e31b37
                                                • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                                • Opcode Fuzzy Hash: bedb79d6b777c24a058fb07aaadb0652bc7d041f343cfefae731751c07e31b37
                                                • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                                Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                  • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                  • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                  • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                  • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                  • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                • ExitProcess.KERNEL32 ref: 0040C287
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                • API String ID: 3797177996-1998216422
                                                • Opcode ID: 8eaf99752597ea1a4d10927b3751fb5e27277ddc3ade82d131f2180467ece9db
                                                • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                                • Opcode Fuzzy Hash: 8eaf99752597ea1a4d10927b3751fb5e27277ddc3ade82d131f2180467ece9db
                                                • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                                Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$Write$Create
                                                • String ID: RIFF$WAVE$data$fmt
                                                • API String ID: 1602526932-4212202414
                                                • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe,00000001,004068B2,C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressHandleModuleProc
                                                • String ID: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                • API String ID: 1646373207-510082443
                                                • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _wcslen.LIBCMT ref: 0040BC75
                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                • CopyFileW.KERNEL32(C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                • _wcslen.LIBCMT ref: 0040BD54
                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                • CopyFileW.KERNEL32(C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe,00000000,00000000), ref: 0040BDF2
                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                • _wcslen.LIBCMT ref: 0040BE34
                                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                • ExitProcess.KERNEL32 ref: 0040BED0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                • String ID: 6$C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe$del$open$BG$BG
                                                • API String ID: 1579085052-740296710
                                                • Opcode ID: 3074b94dd0db5ede3fe92545a612de18a9a35f6e419f75cb91ba7ed246302fb8
                                                • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                                • Opcode Fuzzy Hash: 3074b94dd0db5ede3fe92545a612de18a9a35f6e419f75cb91ba7ed246302fb8
                                                • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                                Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                                • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                                • lstrlenW.KERNEL32(?), ref: 0041B207
                                                • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                                • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                                • _wcslen.LIBCMT ref: 0041B2DB
                                                • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                                • GetLastError.KERNEL32 ref: 0041B313
                                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                                • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                                • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                                • GetLastError.KERNEL32 ref: 0041B370
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                • String ID: ?
                                                • API String ID: 3941738427-1684325040
                                                • Opcode ID: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                                • Opcode Fuzzy Hash: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                                Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$EnvironmentVariable$_wcschr
                                                • String ID:
                                                • API String ID: 3899193279-0
                                                • Opcode ID: 6267e3def292f84dd9e33adbac7387806370fb3e846e7c9bec72720c454fd2de
                                                • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                                • Opcode Fuzzy Hash: 6267e3def292f84dd9e33adbac7387806370fb3e846e7c9bec72720c454fd2de
                                                • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                                Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                  • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                  • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                  • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                • Sleep.KERNEL32(00000064), ref: 00412060
                                                  • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                • String ID: /stext "$HDG$HDG$>G$>G
                                                • API String ID: 1223786279-3931108886
                                                • Opcode ID: 244db93aa1da19b7a039dbc034faf8c6a001f6843826ea2c079329fcbee235f9
                                                • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                                • Opcode Fuzzy Hash: 244db93aa1da19b7a039dbc034faf8c6a001f6843826ea2c079329fcbee235f9
                                                • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                                Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                                • GetCursorPos.USER32(?), ref: 0041CAF8
                                                • SetForegroundWindow.USER32(?), ref: 0041CB01
                                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                                • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                                • ExitProcess.KERNEL32 ref: 0041CB74
                                                • CreatePopupMenu.USER32 ref: 0041CB7A
                                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                • String ID: Close
                                                • API String ID: 1657328048-3535843008
                                                • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                                • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                                Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$Info
                                                • String ID:
                                                • API String ID: 2509303402-0
                                                • Opcode ID: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                                • Opcode Fuzzy Hash: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                                Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                • __aulldiv.LIBCMT ref: 00407FE9
                                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                • API String ID: 1884690901-3066803209
                                                • Opcode ID: 501f13347773ca8328b3059530cc4ad15e8023a44e4b73c6fbf9ab171f8d0e31
                                                • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                                • Opcode Fuzzy Hash: 501f13347773ca8328b3059530cc4ad15e8023a44e4b73c6fbf9ab171f8d0e31
                                                • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                                Function 00413E37 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                • String ID: \ws2_32$\wship6$getaddrinfo
                                                • API String ID: 2490988753-3078833738
                                                • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                                • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                                Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • ___free_lconv_mon.LIBCMT ref: 004500B1
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                                  • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                                • _free.LIBCMT ref: 004500A6
                                                  • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                • _free.LIBCMT ref: 004500C8
                                                • _free.LIBCMT ref: 004500DD
                                                • _free.LIBCMT ref: 004500E8
                                                • _free.LIBCMT ref: 0045010A
                                                • _free.LIBCMT ref: 0045011D
                                                • _free.LIBCMT ref: 0045012B
                                                • _free.LIBCMT ref: 00450136
                                                • _free.LIBCMT ref: 0045016E
                                                • _free.LIBCMT ref: 00450175
                                                • _free.LIBCMT ref: 00450192
                                                • _free.LIBCMT ref: 004501AA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                • String ID:
                                                • API String ID: 161543041-0
                                                • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                                • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                                Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __EH_prolog.LIBCMT ref: 0041912D
                                                • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                                • Sleep.KERNEL32(000003E8), ref: 0041926D
                                                • GetLocalTime.KERNEL32(?), ref: 0041927C
                                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                • API String ID: 489098229-65789007
                                                • Opcode ID: d035b23978f635d26d413941e86b53147c054b16f8fc180901addfee223a089d
                                                • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                                • Opcode Fuzzy Hash: d035b23978f635d26d413941e86b53147c054b16f8fc180901addfee223a089d
                                                • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                                Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                  • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                  • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                  • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                  • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                • ExitProcess.KERNEL32 ref: 0040C832
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                • API String ID: 1913171305-390638927
                                                • Opcode ID: 508d0871e15571b78838a5b212a0624c53e744e3e86450f5b9076bd3877095ab
                                                • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                                • Opcode Fuzzy Hash: 508d0871e15571b78838a5b212a0624c53e744e3e86450f5b9076bd3877095ab
                                                • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                                • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                                Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                • closesocket.WS2_32(000000FF), ref: 0040481F
                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                                • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                • String ID:
                                                • API String ID: 3658366068-0
                                                • Opcode ID: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                                • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                                • Opcode Fuzzy Hash: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                                • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                                Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                                • GetLastError.KERNEL32 ref: 00454A96
                                                • __dosmaperr.LIBCMT ref: 00454A9D
                                                • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                                • GetLastError.KERNEL32 ref: 00454AB3
                                                • __dosmaperr.LIBCMT ref: 00454ABC
                                                • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                                • CloseHandle.KERNEL32(?), ref: 00454C26
                                                • GetLastError.KERNEL32 ref: 00454C58
                                                • __dosmaperr.LIBCMT ref: 00454C5F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                • String ID: H
                                                • API String ID: 4237864984-2852464175
                                                • Opcode ID: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                                • Opcode Fuzzy Hash: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                                Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: 65535$udp
                                                • API String ID: 0-1267037602
                                                • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                                • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                                Function 00416E27 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 107filesynchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                  • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                • String ID: <$@$@FG$@FG$TUF$Temp
                                                • API String ID: 1107811701-4124992407
                                                • Opcode ID: 752ca13c782d44821a1ec6be30a7add5be14379de4efd94ca99b1656ba8a68f0
                                                • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                                • Opcode Fuzzy Hash: 752ca13c782d44821a1ec6be30a7add5be14379de4efd94ca99b1656ba8a68f0
                                                • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                Function 00406616 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 98COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe), ref: 00406705
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CurrentProcess
                                                • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$pUF$windir$BG3i@
                                                • API String ID: 2050909247-1144799832
                                                • Opcode ID: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                                • Opcode Fuzzy Hash: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                                Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                                • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                                • __dosmaperr.LIBCMT ref: 004393CD
                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                                • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                                • __dosmaperr.LIBCMT ref: 0043940A
                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                                • __dosmaperr.LIBCMT ref: 0043945E
                                                • _free.LIBCMT ref: 0043946A
                                                • _free.LIBCMT ref: 00439471
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                • String ID:
                                                • API String ID: 2441525078-0
                                                • Opcode ID: 684e6fef7141b114c3b5ff973dde56bcea396d28ee1fdac90182f4155713f89e
                                                • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                                • Opcode Fuzzy Hash: 684e6fef7141b114c3b5ff973dde56bcea396d28ee1fdac90182f4155713f89e
                                                • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                                Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                • TranslateMessage.USER32(?), ref: 00404F30
                                                • DispatchMessageA.USER32(?), ref: 00404F3B
                                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                  • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                • String ID: CloseChat$DisplayMessage$GetMessage
                                                • API String ID: 2956720200-749203953
                                                • Opcode ID: c4ad9a90b942ac681967bb30370cc32e2bfaf3350bfdfa964f09f26605a8287a
                                                • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                                • Opcode Fuzzy Hash: c4ad9a90b942ac681967bb30370cc32e2bfaf3350bfdfa964f09f26605a8287a
                                                • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                                Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                • String ID:
                                                • API String ID: 221034970-0
                                                • Opcode ID: 83979f30ba13052199b290374f4e897ff0c223aa30bace9cb26b013bf86a6d8f
                                                • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                                • Opcode Fuzzy Hash: 83979f30ba13052199b290374f4e897ff0c223aa30bace9cb26b013bf86a6d8f
                                                • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                                Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 00446DDF
                                                  • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                • _free.LIBCMT ref: 00446DEB
                                                • _free.LIBCMT ref: 00446DF6
                                                • _free.LIBCMT ref: 00446E01
                                                • _free.LIBCMT ref: 00446E0C
                                                • _free.LIBCMT ref: 00446E17
                                                • _free.LIBCMT ref: 00446E22
                                                • _free.LIBCMT ref: 00446E2D
                                                • _free.LIBCMT ref: 00446E38
                                                • _free.LIBCMT ref: 00446E46
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                                • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                                Function 0041B824 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
                                                • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                                                Strings
                                                • DisplayName, xrefs: 0041B8D1
                                                • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041B83C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumOpen
                                                • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                • API String ID: 1332880857-3614651759
                                                • Opcode ID: beee8cc8128c5b6292a52baa65063b935d7e49e28abb99bedb81eb58e8c596e1
                                                • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                                                • Opcode Fuzzy Hash: beee8cc8128c5b6292a52baa65063b935d7e49e28abb99bedb81eb58e8c596e1
                                                • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                                                Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Eventinet_ntoa
                                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                • API String ID: 3578746661-4192532303
                                                • Opcode ID: c490fc925416a975ca1fba66d43efb3b49cc59d35ab214930b24f748f99792d1
                                                • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                                • Opcode Fuzzy Hash: c490fc925416a975ca1fba66d43efb3b49cc59d35ab214930b24f748f99792d1
                                                • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                                Function 00401768 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 142threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ExitThread.KERNEL32 ref: 004017F4
                                                  • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                  • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                  • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                • __Init_thread_footer.LIBCMT ref: 004017BC
                                                  • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                  • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                • String ID: T=G$p[G$xi$>G$>G
                                                • API String ID: 1596592924-3040371395
                                                • Opcode ID: f7dd7ff43e8fa91a01b380b53589ec67711359c1a88f3d5bbceeae34eeda83d9
                                                • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                                • Opcode Fuzzy Hash: f7dd7ff43e8fa91a01b380b53589ec67711359c1a88f3d5bbceeae34eeda83d9
                                                • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                                Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                • Sleep.KERNEL32(00000064), ref: 00416688
                                                • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CreateDeleteExecuteShellSleep
                                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                • API String ID: 1462127192-2001430897
                                                • Opcode ID: d94b8c85182ea572c803bf7ed9f069f989e38430cde1dbff2418cf4f66068fd6
                                                • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                                • Opcode Fuzzy Hash: d94b8c85182ea572c803bf7ed9f069f989e38430cde1dbff2418cf4f66068fd6
                                                • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                                Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                Download Yara Rule
                                                APIs
                                                • _strftime.LIBCMT ref: 00401AD3
                                                  • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                • API String ID: 3809562944-3643129801
                                                • Opcode ID: b8eed0d151ccb6e5a82338ef45dd5c7a6e48c5c8e1108a83b815f9cf038dc0a3
                                                • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                                • Opcode Fuzzy Hash: b8eed0d151ccb6e5a82338ef45dd5c7a6e48c5c8e1108a83b815f9cf038dc0a3
                                                • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                                Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                • waveInStart.WINMM ref: 00401A81
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                • String ID: XCG$`=G$x=G
                                                • API String ID: 1356121797-903574159
                                                • Opcode ID: df66b5dce40286873da021395106849cc9c08a1aee5ad096444ea0181d895aab
                                                • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                                • Opcode Fuzzy Hash: df66b5dce40286873da021395106849cc9c08a1aee5ad096444ea0181d895aab
                                                • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                                  • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                  • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                  • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                                • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                                • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                                • TranslateMessage.USER32(?), ref: 0041C9FB
                                                • DispatchMessageA.USER32(?), ref: 0041CA05
                                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                • String ID: Remcos
                                                • API String ID: 1970332568-165870891
                                                • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                                • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b03e61c4093a21660133e67fc3f0c2c165a648bd703d9864a2b1dbb5c11dd296
                                                • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                                • Opcode Fuzzy Hash: b03e61c4093a21660133e67fc3f0c2c165a648bd703d9864a2b1dbb5c11dd296
                                                • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                                Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                                                • __alloca_probe_16.LIBCMT ref: 00452C91
                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                                                • __alloca_probe_16.LIBCMT ref: 00452D3B
                                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                                                • __freea.LIBCMT ref: 00452DAA
                                                • __freea.LIBCMT ref: 00452DB6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                • String ID:
                                                • API String ID: 201697637-0
                                                • Opcode ID: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
                                                • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                                • Opcode Fuzzy Hash: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
                                                • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                                Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                • _memcmp.LIBVCRUNTIME ref: 004446A3
                                                • _free.LIBCMT ref: 00444714
                                                • _free.LIBCMT ref: 0044472D
                                                • _free.LIBCMT ref: 0044475F
                                                • _free.LIBCMT ref: 00444768
                                                • _free.LIBCMT ref: 00444774
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorLast$_abort_memcmp
                                                • String ID: C
                                                • API String ID: 1679612858-1037565863
                                                • Opcode ID: 17903f2486249c1948a877ea9dae5677bcd3f5fa43e019d40c9c3c4da5d63b1f
                                                • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                                • Opcode Fuzzy Hash: 17903f2486249c1948a877ea9dae5677bcd3f5fa43e019d40c9c3c4da5d63b1f
                                                • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                                Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: tcp$udp
                                                • API String ID: 0-3725065008
                                                • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                                • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                Function 00412C88 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                  • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                  • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                  • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                                • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnumInfoOpenQuerysend
                                                • String ID: TUF$TUFTUF$>G$DG$DG
                                                • API String ID: 3114080316-72097156
                                                • Opcode ID: b79f96b98849828189ce12a55a5e60de86127cd7c836c6bc3b0d8c974564a8ee
                                                • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                                • Opcode Fuzzy Hash: b79f96b98849828189ce12a55a5e60de86127cd7c836c6bc3b0d8c974564a8ee
                                                • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                  • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                                • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                  • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                  • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                • String ID: .part
                                                • API String ID: 1303771098-3499674018
                                                • Opcode ID: 124c633532e8600691c4108089ff1e2e84c33ce980c006a8ee94900b53e6ed61
                                                • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                                • Opcode Fuzzy Hash: 124c633532e8600691c4108089ff1e2e84c33ce980c006a8ee94900b53e6ed61
                                                • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                                Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                  • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                  • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                  • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                  • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                • _wcslen.LIBCMT ref: 0041A8F6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                • API String ID: 3286818993-703403762
                                                • Opcode ID: d31394a1e59778cac49212debd323097d31c222899c914d30ad8a284f22ebc6c
                                                • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                                • Opcode Fuzzy Hash: d31394a1e59778cac49212debd323097d31c222899c914d30ad8a284f22ebc6c
                                                • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                                Function 0040B6EA Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 85COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                  • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                  • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders$TUF
                                                • API String ID: 1133728706-1738023494
                                                • Opcode ID: 855e2cf6618f683fcf1880faecf3eef8977eac3d94cb5d0ef317c0a3041edc6c
                                                • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                                • Opcode Fuzzy Hash: 855e2cf6618f683fcf1880faecf3eef8977eac3d94cb5d0ef317c0a3041edc6c
                                                • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                                Function 0041BEB0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                                • GetConsoleWindow.KERNEL32 ref: 0041BEBF
                                                • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Console$Window$AllocOutputShow
                                                • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                • API String ID: 4067487056-2527699604
                                                • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                                • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                                Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D564,0043D564,?,?,?,00449BA1,00000001,00000001,1AE85006), ref: 004499AA
                                                • __alloca_probe_16.LIBCMT ref: 004499E2
                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BA1,00000001,00000001,1AE85006,?,?,?), ref: 00449A30
                                                • __alloca_probe_16.LIBCMT ref: 00449AC7
                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                                • __freea.LIBCMT ref: 00449B37
                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                • __freea.LIBCMT ref: 00449B40
                                                • __freea.LIBCMT ref: 00449B65
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                • String ID:
                                                • API String ID: 3864826663-0
                                                • Opcode ID: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                                                • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                                • Opcode Fuzzy Hash: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                                                • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                                Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendInput.USER32 ref: 00418B08
                                                • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                                • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                                • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                                  • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InputSend$Virtual
                                                • String ID:
                                                • API String ID: 1167301434-0
                                                • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                                • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                                Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenClipboard.USER32 ref: 00415A46
                                                • EmptyClipboard.USER32 ref: 00415A54
                                                • CloseClipboard.USER32 ref: 00415A5A
                                                • OpenClipboard.USER32 ref: 00415A61
                                                • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                • CloseClipboard.USER32 ref: 00415A89
                                                  • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                • String ID:
                                                • API String ID: 2172192267-0
                                                • Opcode ID: d51e9d9b7c83d4b7240a3047c26a9a5e57fadfb447c4903058641008fff525ed
                                                • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                                • Opcode Fuzzy Hash: d51e9d9b7c83d4b7240a3047c26a9a5e57fadfb447c4903058641008fff525ed
                                                • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                                Function 00447E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 00447EBC
                                                • _free.LIBCMT ref: 00447EE0
                                                • _free.LIBCMT ref: 00448067
                                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                                • _free.LIBCMT ref: 00448233
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                • String ID:
                                                • API String ID: 314583886-0
                                                • Opcode ID: 4d66406e984c604246852defaa851237a19ea919a7a16fb56f132950f37b46de
                                                • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                                                • Opcode Fuzzy Hash: 4d66406e984c604246852defaa851237a19ea919a7a16fb56f132950f37b46de
                                                • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                                                Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                                • Opcode Fuzzy Hash: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                                Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                • _free.LIBCMT ref: 00444086
                                                • _free.LIBCMT ref: 0044409D
                                                • _free.LIBCMT ref: 004440BC
                                                • _free.LIBCMT ref: 004440D7
                                                • _free.LIBCMT ref: 004440EE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$AllocateHeap
                                                • String ID: J7D
                                                • API String ID: 3033488037-1677391033
                                                • Opcode ID: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                                • Opcode Fuzzy Hash: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                                Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
                                                • __fassign.LIBCMT ref: 0044A180
                                                • __fassign.LIBCMT ref: 0044A19B
                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                                • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                                • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                • String ID:
                                                • API String ID: 1324828854-0
                                                • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                                • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                                Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID: HE$HE
                                                • API String ID: 269201875-1978648262
                                                • Opcode ID: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                                • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                                • Opcode Fuzzy Hash: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                                • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                                Function 0040E6A3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                  • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                  • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                                  • Part of subcall function 0041B187: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1A7
                                                  • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                  • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                • String ID: PgF
                                                • API String ID: 2180151492-654241383
                                                • Opcode ID: f63e02058b3df390fc99547af966fd5b060998b003f203cb2b12e7754b08fae9
                                                • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                                • Opcode Fuzzy Hash: f63e02058b3df390fc99547af966fd5b060998b003f203cb2b12e7754b08fae9
                                                • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                                Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                Download Yara Rule
                                                APIs
                                                • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                                • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                                • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                • String ID: csm
                                                • API String ID: 1170836740-1018135373
                                                • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                                • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                                Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ac8429af2de8aec4c7be5426e4bb47fdde12a831901fd5511e93482c0d59407e
                                                • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                                • Opcode Fuzzy Hash: ac8429af2de8aec4c7be5426e4bb47fdde12a831901fd5511e93482c0d59407e
                                                • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                                Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                • int.LIBCPMT ref: 0040FC0F
                                                  • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                  • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                • String ID: P[G
                                                • API String ID: 2536120697-571123470
                                                • Opcode ID: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                                • Opcode Fuzzy Hash: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                                Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                                • _free.LIBCMT ref: 0044FD29
                                                  • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                • _free.LIBCMT ref: 0044FD34
                                                • _free.LIBCMT ref: 0044FD3F
                                                • _free.LIBCMT ref: 0044FD93
                                                • _free.LIBCMT ref: 0044FD9E
                                                • _free.LIBCMT ref: 0044FDA9
                                                • _free.LIBCMT ref: 0044FDB4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                                • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                                Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe), ref: 00406835
                                                  • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                  • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                • CoUninitialize.OLE32 ref: 0040688E
                                                Strings
                                                • [+] ShellExec success, xrefs: 00406873
                                                • [+] before ShellExec, xrefs: 00406856
                                                • C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, xrefs: 00406815, 00406818, 0040686A
                                                • [+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InitializeObjectUninitialize_wcslen
                                                • String ID: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                • API String ID: 3851391207-2158132279
                                                • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                • int.LIBCPMT ref: 0040FEF2
                                                  • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                  • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                • String ID: H]G
                                                • API String ID: 2536120697-1717957184
                                                • Opcode ID: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                                • Opcode Fuzzy Hash: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                                Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                • GetLastError.KERNEL32 ref: 0040B2EE
                                                Strings
                                                • UserProfile, xrefs: 0040B2B4
                                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                • [Chrome Cookies not found], xrefs: 0040B308
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DeleteErrorFileLast
                                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                • API String ID: 2018770650-304995407
                                                • Opcode ID: affce56bb21929d7383bdb2dccb574c79b51b4180e8c74c87d019dc2b0b7a2d9
                                                • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                                • Opcode Fuzzy Hash: affce56bb21929d7383bdb2dccb574c79b51b4180e8c74c87d019dc2b0b7a2d9
                                                • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                                Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                Download Yara Rule
                                                Strings
                                                • BG, xrefs: 00406909
                                                • escoclar-5B94K9, xrefs: 0040693F
                                                • C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe, xrefs: 00406927
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe$escoclar-5B94K9$BG
                                                • API String ID: 0-3350151255
                                                • Opcode ID: d50a95e135f0bfdaf236d1bb78b8391e43d4b57b805b0d92c2bf5032378cfc05
                                                • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                • Opcode Fuzzy Hash: d50a95e135f0bfdaf236d1bb78b8391e43d4b57b805b0d92c2bf5032378cfc05
                                                • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                Function 004432E7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 00443305
                                                  • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                • _free.LIBCMT ref: 00443317
                                                • _free.LIBCMT ref: 0044332A
                                                • _free.LIBCMT ref: 0044333B
                                                • _free.LIBCMT ref: 0044334C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID: HFj
                                                • API String ID: 776569668-2324456879
                                                • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                                • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                                Function 00419F32 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                                • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                                • Sleep.KERNEL32(00002710), ref: 00419F79
                                                • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: PlaySound$HandleLocalModuleSleepTime
                                                • String ID: Alarm triggered$`#v
                                                • API String ID: 614609389-3049340936
                                                • Opcode ID: debb84a1251a9d4f253e7d3f2da0eb81be5ea948ed7eff08d43fd7d9de811cd2
                                                • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                                • Opcode Fuzzy Hash: debb84a1251a9d4f253e7d3f2da0eb81be5ea948ed7eff08d43fd7d9de811cd2
                                                • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                                Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                Download Yara Rule
                                                APIs
                                                • __allrem.LIBCMT ref: 00439789
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                                • __allrem.LIBCMT ref: 004397BC
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                                • __allrem.LIBCMT ref: 004397F1
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                • String ID:
                                                • API String ID: 1992179935-0
                                                • Opcode ID: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                                • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                                • Opcode Fuzzy Hash: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                                • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                                Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __cftoe
                                                • String ID:
                                                • API String ID: 4189289331-0
                                                • Opcode ID: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                                • Opcode Fuzzy Hash: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                                Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __freea$__alloca_probe_16
                                                • String ID: a/p$am/pm
                                                • API String ID: 3509577899-3206640213
                                                • Opcode ID: d47145a3bc1b7d9653af932916ed6ede224238620767b4a39004040ccf91a16a
                                                • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                                • Opcode Fuzzy Hash: d47145a3bc1b7d9653af932916ed6ede224238620767b4a39004040ccf91a16a
                                                • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                                Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                  • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: H_prologSleep
                                                • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                • API String ID: 3469354165-462540288
                                                • Opcode ID: 4e554ebf19488a5611e14a2d3cf6973cfd4f528d681247d0f0c4997ef775f554
                                                • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                                • Opcode Fuzzy Hash: 4e554ebf19488a5611e14a2d3cf6973cfd4f528d681247d0f0c4997ef775f554
                                                • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                                Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                                • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                                • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                                • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                • String ID:
                                                • API String ID: 493672254-0
                                                • Opcode ID: 8d0c32570e89dd068500cd90fe1776a703b3a192111dc2e8c1051611ff5d3692
                                                • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                                • Opcode Fuzzy Hash: 8d0c32570e89dd068500cd90fe1776a703b3a192111dc2e8c1051611ff5d3692
                                                • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                                Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                                • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLastValue___vcrt_
                                                • String ID:
                                                • API String ID: 3852720340-0
                                                • Opcode ID: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                                • Opcode Fuzzy Hash: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                                Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                • _free.LIBCMT ref: 00446EF6
                                                • _free.LIBCMT ref: 00446F1E
                                                • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                • _abort.LIBCMT ref: 00446F3D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$_free$_abort
                                                • String ID:
                                                • API String ID: 3160817290-0
                                                • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                                • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                                Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                • String ID:
                                                • API String ID: 221034970-0
                                                • Opcode ID: e0442b8656df40b354effc29a53afdc585f42babe91f9aeac9dec78915b16ffb
                                                • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                                • Opcode Fuzzy Hash: e0442b8656df40b354effc29a53afdc585f42babe91f9aeac9dec78915b16ffb
                                                • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                                Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                • String ID:
                                                • API String ID: 221034970-0
                                                • Opcode ID: 197637b26bbdd00f03ff7db36be43807083bab4a770c68d4e23c4aa016e90e1f
                                                • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                                • Opcode Fuzzy Hash: 197637b26bbdd00f03ff7db36be43807083bab4a770c68d4e23c4aa016e90e1f
                                                • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                                Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ControlManager
                                                • String ID:
                                                • API String ID: 221034970-0
                                                • Opcode ID: e355818817006b765bc9d302ee5cf97eebc986756fff16413e45bff3808d062c
                                                • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                                • Opcode Fuzzy Hash: e355818817006b765bc9d302ee5cf97eebc986756fff16413e45bff3808d062c
                                                • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                                Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Enum$InfoQueryValue
                                                • String ID: [regsplt]$DG
                                                • API String ID: 3554306468-1089238109
                                                • Opcode ID: bdfd4bea99a2a56e0bf69a035c0c9d08caa5f3d1df37628ba4533c7e0d6d2cae
                                                • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                                • Opcode Fuzzy Hash: bdfd4bea99a2a56e0bf69a035c0c9d08caa5f3d1df37628ba4533c7e0d6d2cae
                                                • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                Function 004426D4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe,00000104), ref: 00442714
                                                • _free.LIBCMT ref: 004427DF
                                                • _free.LIBCMT ref: 004427E9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$FileModuleName
                                                • String ID: @)h$C:\Users\user\Desktop\1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c553abe427.dat-decoded.exe
                                                • API String ID: 2506810119-4160916090
                                                • Opcode ID: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                                • Opcode Fuzzy Hash: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                                Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                  • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                  • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                  • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                  • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                                • API String ID: 2974294136-753205382
                                                • Opcode ID: 84d5120d1790242da64ed9a6eb1f5c34e2201cb21d83ae33a80d74a94cbf0ed8
                                                • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                                • Opcode Fuzzy Hash: 84d5120d1790242da64ed9a6eb1f5c34e2201cb21d83ae33a80d74a94cbf0ed8
                                                • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                                Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                • GetLastError.KERNEL32 ref: 0041CA91
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ClassCreateErrorLastRegisterWindow
                                                • String ID: 0$MsgWindowClass
                                                • API String ID: 2877667751-2410386613
                                                • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                                • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                                Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                • CloseHandle.KERNEL32(?), ref: 00406A14
                                                Strings
                                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseHandle$CreateProcess
                                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                • API String ID: 2922976086-4183131282
                                                • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                                • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                                Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002), ref: 004425F9
                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                                • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 0044262F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                • String ID: CorExitProcess$mscoree.dll
                                                • API String ID: 4061214504-1276376045
                                                • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                                • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                                Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                                                • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                                                • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseCreateValue
                                                • String ID: pth_unenc$BG
                                                • API String ID: 1818849710-2233081382
                                                • Opcode ID: 2b0b83c385fe9b11323970af50dff3bb0d924dce91bf1d9d78cbef32cf6cf5ea
                                                • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                • Opcode Fuzzy Hash: 2b0b83c385fe9b11323970af50dff3bb0d924dce91bf1d9d78cbef32cf6cf5ea
                                                • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004745A8,00414DB5,00000000,00000000,00000001), ref: 00404AED
                                                • SetEvent.KERNEL32(0000030C), ref: 00404AF9
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404B04
                                                • CloseHandle.KERNEL32(00000000), ref: 00404B0D
                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                • String ID: KeepAlive | Disabled
                                                • API String ID: 2993684571-305739064
                                                • Opcode ID: 1c0c748ad9fecb0dd528124c77293d7db353f6adbd4e84571b4901e68838a0a9
                                                • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                                • Opcode Fuzzy Hash: 1c0c748ad9fecb0dd528124c77293d7db353f6adbd4e84571b4901e68838a0a9
                                                • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                                Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                                • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                                • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                                • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                                Strings
                                                • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                • API String ID: 3024135584-2418719853
                                                • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                                • Opcode Fuzzy Hash: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                                Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                • String ID:
                                                • API String ID: 3525466593-0
                                                • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                                • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                                Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                                • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                                Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3ED,?,00000000,?,00000001,?,?,00000001,0043E3ED,?), ref: 0044FF20
                                                • __alloca_probe_16.LIBCMT ref: 0044FF58
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFA9
                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399BF,?), ref: 0044FFBB
                                                • __freea.LIBCMT ref: 0044FFC4
                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                • String ID:
                                                • API String ID: 313313983-0
                                                • Opcode ID: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                                                • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                                • Opcode Fuzzy Hash: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                                                • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                                Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                                  • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                                • _free.LIBCMT ref: 0044E1A0
                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                • String ID:
                                                • API String ID: 336800556-0
                                                • Opcode ID: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                                • Opcode Fuzzy Hash: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                                Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(0000000A,0000000B,0000000A,00445359,00440A9B,00000000,?,?,?,?,00440C7E,00000000,0000000A,000000FF,0000000A,00000000), ref: 00446F48
                                                • _free.LIBCMT ref: 00446F7D
                                                • _free.LIBCMT ref: 00446FA4
                                                • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FB1
                                                • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FBA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$_free
                                                • String ID:
                                                • API String ID: 3170660625-0
                                                • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                                • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                                Function 0041B37D Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3C8
                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CloseHandleOpen$FileImageName
                                                • String ID:
                                                • API String ID: 2951400881-0
                                                • Opcode ID: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                                • Opcode Fuzzy Hash: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                                Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 0044F7B5
                                                  • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                • _free.LIBCMT ref: 0044F7C7
                                                • _free.LIBCMT ref: 0044F7D9
                                                • _free.LIBCMT ref: 0044F7EB
                                                • _free.LIBCMT ref: 0044F7FD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                                • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                                Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                • IsWindowVisible.USER32(?), ref: 004167A1
                                                  • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                  • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ProcessWindow$Open$TextThreadVisible
                                                • String ID: (FG
                                                • API String ID: 3142014140-2273637114
                                                • Opcode ID: 4740719a390b3ba9c6c78a6bb065e116e455b7124dca1e6ba6f29cda58230414
                                                • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                                • Opcode Fuzzy Hash: 4740719a390b3ba9c6c78a6bb065e116e455b7124dca1e6ba6f29cda58230414
                                                • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                                Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                Download Yara Rule
                                                APIs
                                                • _strpbrk.LIBCMT ref: 0044D4A8
                                                • _free.LIBCMT ref: 0044D5C5
                                                  • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,00000000,0000000A,0000000A,00000000,0041AD67,00000022,?,?,0043A833,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
                                                  • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417,0000000A,00000000), ref: 0043A878
                                                  • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                • String ID: *?$.
                                                • API String ID: 2812119850-3972193922
                                                • Opcode ID: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                                • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                                                • Opcode Fuzzy Hash: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                                • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                                                Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                  • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                  • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                  • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                                  • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                • String ID: XCG$`AG$>G
                                                • API String ID: 2334542088-2372832151
                                                • Opcode ID: 1cf10a0665e3775091c447b47999919f7d6db2360a149e937a3b08d82d1eeea5
                                                • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                                • Opcode Fuzzy Hash: 1cf10a0665e3775091c447b47999919f7d6db2360a149e937a3b08d82d1eeea5
                                                • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                                Function 00404468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                                • WaitForSingleObject.KERNEL32(00000330,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                • SetEvent.KERNEL32(00000330,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: EventObjectSingleWaitsend
                                                • String ID: LAL
                                                • API String ID: 3963590051-3302426157
                                                • Opcode ID: 314c35cb7c3e0cdd1eb64e7b3ffc619a90be7dd70040102f0ebb66c8c0e95541
                                                • Instruction ID: 68c7e6670e460543dd9c105572fcb78fed3a06f13f8c8b410ea91b680b50408d
                                                • Opcode Fuzzy Hash: 314c35cb7c3e0cdd1eb64e7b3ffc619a90be7dd70040102f0ebb66c8c0e95541
                                                • Instruction Fuzzy Hash: 192143B29001196BDF04BBA5DC96DEE777CFF54358B00013EF916B21E1EA78A604D6A4
                                                Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                  • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                  • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                  • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                  • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                • String ID: /sort "Visit Time" /stext "$8>G
                                                • API String ID: 368326130-2663660666
                                                • Opcode ID: f086c9f5da83253ac26c9d0f50b0703b97421a1697d77c47133a2e168226085d
                                                • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                                • Opcode Fuzzy Hash: f086c9f5da83253ac26c9d0f50b0703b97421a1697d77c47133a2e168226085d
                                                • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                                Function 0044DCC8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                  • Part of subcall function 0044DDE7: _abort.LIBCMT ref: 0044DE19
                                                  • Part of subcall function 0044DDE7: _free.LIBCMT ref: 0044DE4D
                                                  • Part of subcall function 0044DA5C: GetOEMCP.KERNEL32(00000000,?,?,0044DCE5,?), ref: 0044DA87
                                                • _free.LIBCMT ref: 0044DD40
                                                • _free.LIBCMT ref: 0044DD76
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorLast_abort
                                                • String ID: HFj$HFj
                                                • API String ID: 2991157371-3130451497
                                                • Opcode ID: 9ec75d27e75173005142ff49c1fb8a194fa534556bd27181e1428d408c7a2cd6
                                                • Instruction ID: 78e98af2e08dba5698695eadbe882f177ccac690bbf417dcf661007a8bbce0b0
                                                • Opcode Fuzzy Hash: 9ec75d27e75173005142ff49c1fb8a194fa534556bd27181e1428d408c7a2cd6
                                                • Instruction Fuzzy Hash: CE31E4B1D04108AFFB14EF69D441B9A77F4DF41324F25409FE9049B2A2EB799D41CB58
                                                Function 0040A876 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                • wsprintfW.USER32 ref: 0040A905
                                                  • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: EventLocalTimewsprintf
                                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                • API String ID: 1497725170-1359877963
                                                • Opcode ID: f1131f2c5aa9efe0aa35bfe1aadc190762ac6710f9a6fccd412707abd6ba0ca2
                                                • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                                • Opcode Fuzzy Hash: f1131f2c5aa9efe0aa35bfe1aadc190762ac6710f9a6fccd412707abd6ba0ca2
                                                • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                                Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                  • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                                • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                                • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread$LocalTime$wsprintf
                                                • String ID: Online Keylogger Started
                                                • API String ID: 112202259-1258561607
                                                • Opcode ID: 74bbf1dd48c5cc06e207f48c4eb53604144d0a493703acba44df512efce14c16
                                                • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                                • Opcode Fuzzy Hash: 74bbf1dd48c5cc06e207f48c4eb53604144d0a493703acba44df512efce14c16
                                                • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                                • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                                • __dosmaperr.LIBCMT ref: 0044AAFE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseErrorHandleLast__dosmaperr
                                                • String ID: `@
                                                • API String ID: 2583163307-951712118
                                                • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                                • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                                Function 00419E89 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExistsFilePath
                                                • String ID: TUF$alarm.wav$xIG
                                                • API String ID: 1174141254-2188790166
                                                • Opcode ID: 78a56aa9651363ee496944c99f45765e7eccc86df74fcc7e6b7799ffaff104a1
                                                • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                                • Opcode Fuzzy Hash: 78a56aa9651363ee496944c99f45765e7eccc86df74fcc7e6b7799ffaff104a1
                                                • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                                Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseEventHandleObjectSingleWait
                                                • String ID: Connection Timeout
                                                • API String ID: 2055531096-499159329
                                                • Opcode ID: 021faa9111ab8834074a9e6104490ab3bec6bd23ae7819230539afb67bbeabe2
                                                • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                                • Opcode Fuzzy Hash: 021faa9111ab8834074a9e6104490ab3bec6bd23ae7819230539afb67bbeabe2
                                                • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                                Function 004016E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                • waveInPrepareHeader.WINMM(0069E878,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                                • waveInAddBuffer.WINMM(0069E878,00000020,?,00000000,00401913), ref: 0040175D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: wave$BufferHeaderPrepare
                                                • String ID: T=G$xi
                                                • API String ID: 2315374483-643237099
                                                • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                  • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                                  • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                • String ID: bad locale name
                                                • API String ID: 3628047217-1405518554
                                                • Opcode ID: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                                • Opcode Fuzzy Hash: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                                Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExecuteShell
                                                • String ID: /C $cmd.exe$open
                                                • API String ID: 587946157-3896048727
                                                • Opcode ID: ee6d09c7a5be61fc2c77f0fe381f15b1933766d643093560b744fac4f5f657b7
                                                • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                • Opcode Fuzzy Hash: ee6d09c7a5be61fc2c77f0fe381f15b1933766d643093560b744fac4f5f657b7
                                                • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                • TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: TerminateThread$HookUnhookWindows
                                                • String ID: pth_unenc
                                                • API String ID: 3123878439-4028850238
                                                • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                                • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                                Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __alldvrm$_strrchr
                                                • String ID:
                                                • API String ID: 1036877536-0
                                                • Opcode ID: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                                • Opcode Fuzzy Hash: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                                Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                                • Opcode Fuzzy Hash: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                                Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                • API String ID: 3472027048-1236744412
                                                • Opcode ID: a28c998271a66f8567227a1897484aa15a4fe563e622933235ba73a641e0d975
                                                • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                                • Opcode Fuzzy Hash: a28c998271a66f8567227a1897484aa15a4fe563e622933235ba73a641e0d975
                                                • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                                Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                  • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                  • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseOpenQuerySleepValue
                                                • String ID: @CG$exepath$BG
                                                • API String ID: 4119054056-3221201242
                                                • Opcode ID: efcd0af1208699037f09edad500f6ec840cfbf7b9737e1f52f1688804d5b7727
                                                • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                                • Opcode Fuzzy Hash: efcd0af1208699037f09edad500f6ec840cfbf7b9737e1f52f1688804d5b7727
                                                • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                                Function 0041A98A Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: SystemTimes$Sleep__aulldiv
                                                • String ID:
                                                • API String ID: 188215759-0
                                                • Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                • Instruction ID: 3b66203fd79088dfadce72ddbf0b0401c54eb4bd27628439374ba0e7aa9136f0
                                                • Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                • Instruction Fuzzy Hash: 9D215E725083009BC304DF65D98589FB7E8EFC8654F044A2EF589D3251EA34EA49CB63
                                                Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                                  • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                                  • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                                • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Window$SleepText$ForegroundLength
                                                • String ID: [ $ ]
                                                • API String ID: 3309952895-93608704
                                                • Opcode ID: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
                                                • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                                • Opcode Fuzzy Hash: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
                                                • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                                Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                                • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                                Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                                • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                                Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                                  • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                                  • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                                • _UnwindNestedFrames.LIBCMT ref: 00438124
                                                • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                                • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                • String ID:
                                                • API String ID: 737400349-0
                                                • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                                • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                                Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                                • GetLastError.KERNEL32(?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LibraryLoad$ErrorLast
                                                • String ID:
                                                • API String ID: 3177248105-0
                                                • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                                • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                                Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B647
                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B66C
                                                • CloseHandle.KERNEL32(00000000), ref: 0041B67A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseCreateHandleReadSize
                                                • String ID:
                                                • API String ID: 3919263394-0
                                                • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                                • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                                Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                                • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                                • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                                • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MetricsSystem
                                                • String ID:
                                                • API String ID: 4116985748-0
                                                • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                                • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                                Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Info
                                                • String ID: $fD
                                                • API String ID: 1807457897-3092946448
                                                • Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                                • Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                                Function 00417BDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                Download Yara Rule
                                                APIs
                                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C08
                                                  • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                • SHCreateMemStream.SHLWAPI(00000000), ref: 00417C55
                                                  • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                                  • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                • String ID: image/jpeg
                                                • API String ID: 1291196975-3785015651
                                                • Opcode ID: 8f3b30371828e1907736ebf26ac10b00a12ebc6a0bae61ebf375912b50c4f4ef
                                                • Instruction ID: 3dbe320e324aa312c145f712c1d391ec03548c85c69305bb74e69b0931de3aa8
                                                • Opcode Fuzzy Hash: 8f3b30371828e1907736ebf26ac10b00a12ebc6a0bae61ebf375912b50c4f4ef
                                                • Instruction Fuzzy Hash: 13315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6
                                                Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: ACP$OCP
                                                • API String ID: 0-711371036
                                                • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                                • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                                Function 00417CD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                Download Yara Rule
                                                APIs
                                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417CF4
                                                  • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D19
                                                  • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                                  • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                • String ID: image/png
                                                • API String ID: 1291196975-2966254431
                                                • Opcode ID: 3eb8dd80f54a72a5a0a9ed13ccec69a705e73992219fab643a786ff0acabb055
                                                • Instruction ID: e3b7944e5392015f30009faa46d0af48502643625c308f0969f1fef2cb3c76d4
                                                • Opcode Fuzzy Hash: 3eb8dd80f54a72a5a0a9ed13ccec69a705e73992219fab643a786ff0acabb055
                                                • Instruction Fuzzy Hash: AA21A135204211AFC300AF61CC88CAFBBBDEFCA714F10052EF90693151DB399945CBA6
                                                Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                Strings
                                                • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LocalTime
                                                • String ID: KeepAlive | Enabled | Timeout:
                                                • API String ID: 481472006-1507639952
                                                • Opcode ID: 88f98e07624f0cdc5f5406798babcb05efc51bc28ea43e2309e29ec04d21d8db
                                                • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                                • Opcode Fuzzy Hash: 88f98e07624f0cdc5f5406798babcb05efc51bc28ea43e2309e29ec04d21d8db
                                                • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                                Function 004488F7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetStdHandle.KERNEL32(000000F6), ref: 00448943
                                                • GetFileType.KERNEL32(00000000), ref: 00448955
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileHandleType
                                                • String ID: (Mj
                                                • API String ID: 3000768030-565147460
                                                • Opcode ID: ccc95ea5b6d1fe52f093f2cf044264499b4e41becef1697495b2cca3fae492d0
                                                • Instruction ID: e72e3a163d38be5f7a7623f46eac45f8fe04114c14e2a7ad6025d4c7bfa50cde
                                                • Opcode Fuzzy Hash: ccc95ea5b6d1fe52f093f2cf044264499b4e41becef1697495b2cca3fae492d0
                                                • Instruction Fuzzy Hash: D41145B1508F524AE7304E3D8C8863BBA959756330B380B2FD5B6867F1CF28D886954B
                                                Function 0043AC30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID: (Mj
                                                • API String ID: 269201875-565147460
                                                • Opcode ID: ca01ae77a811ea6e1882d950de224612bd516a70c3fdde4a712b874a0400f1fb
                                                • Instruction ID: 8090df87744a04f370904591f18fafe20db4d8262e12f9b5c6200b5f8240d2d1
                                                • Opcode Fuzzy Hash: ca01ae77a811ea6e1882d950de224612bd516a70c3fdde4a712b874a0400f1fb
                                                • Instruction Fuzzy Hash: C111E671A4030147F7249F2DAC42F563298E755734F25222BF979EB6E0D778C892428E
                                                Function 004336EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: LG$XG
                                                • API String ID: 0-1482930923
                                                • Opcode ID: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
                                                • Instruction ID: b803d8f2fb0d60b71c32d24796bf113498d2ea24005d64aa96dbf80bf0db992b
                                                • Opcode Fuzzy Hash: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
                                                • Instruction Fuzzy Hash: CE11A3B1D01654AACB20EFA998017CFB7A55F09725F14D06BED18EF281D3B9DB408B98
                                                Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LocalTime
                                                • String ID: | $%02i:%02i:%02i:%03i
                                                • API String ID: 481472006-2430845779
                                                • Opcode ID: 9b95a0a033af4e6b3b54331b4a103e7e6270c3a9d1cca9dd8a72674f32e816fd
                                                • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                                • Opcode Fuzzy Hash: 9b95a0a033af4e6b3b54331b4a103e7e6270c3a9d1cca9dd8a72674f32e816fd
                                                • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                                Function 004125EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412612
                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412648
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: QueryValue
                                                • String ID: TUF
                                                • API String ID: 3660427363-3431404234
                                                • Opcode ID: ea05bdfc88d730103140c1813835b768b0c4990d0bb52d9cb4e5ffcfc942b32d
                                                • Instruction ID: 62a4949b47554db758ef5e9b715c6ec4cc130d120bf99ac1ec1555789b8052d8
                                                • Opcode Fuzzy Hash: ea05bdfc88d730103140c1813835b768b0c4990d0bb52d9cb4e5ffcfc942b32d
                                                • Instruction Fuzzy Hash: BC01A7B6A00108BFDB049B95DD46EFF7ABDDF44240F10007AF901E2251E6749F009664
                                                Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                  • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                  • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                • String ID: Online Keylogger Stopped
                                                • API String ID: 1623830855-1496645233
                                                • Opcode ID: fe6e18c6252a0bee342ef941cd7d9d06612fb05f1df7cb5e72a2689b447559bc
                                                • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                                • Opcode Fuzzy Hash: fe6e18c6252a0bee342ef941cd7d9d06612fb05f1df7cb5e72a2689b447559bc
                                                • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                                Function 00448763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(-00471558,?,0044225B,00000000,0046DAC0,0000000C,00442216,0000000A,?,?,00448739,0000000A,?,00446F74,00000001,00000364), ref: 00444ADB
                                                • DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046DCA8,00000010,0043AD15), ref: 004487C5
                                                • _free.LIBCMT ref: 004487D3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalSection$DeleteEnter_free
                                                • String ID: (Mj
                                                • API String ID: 1836352639-565147460
                                                • Opcode ID: 70fd0d90dafa84e5954845fa7c0139c51f18b2004160b2b9a8cec1cc6ebfe676
                                                • Instruction ID: 80ff6b1ebb5c52940da2afcd5602a1ef1f033d169bf7bf1965dfa6e3099da3c5
                                                • Opcode Fuzzy Hash: 70fd0d90dafa84e5954845fa7c0139c51f18b2004160b2b9a8cec1cc6ebfe676
                                                • Instruction Fuzzy Hash: 6E1179359002059FE724DF99D842B5C73B0EB08729F25415AE865AB2B2CB38E8828B0D
                                                Function 0044DDE7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                  • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                  • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                  • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                • _abort.LIBCMT ref: 0044DE19
                                                • _free.LIBCMT ref: 0044DE4D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast_abort_free
                                                • String ID: HFj
                                                • API String ID: 289325740-2324456879
                                                • Opcode ID: cba5e3b893efa1f4c196fd8b6ab646112b65b39245522f8e75cb99aab8fd3b38
                                                • Instruction ID: 263febff8c983af4c5f1177bd945a1efbcaaba8aa324727b7c5e6bdf69b19c8f
                                                • Opcode Fuzzy Hash: cba5e3b893efa1f4c196fd8b6ab646112b65b39245522f8e75cb99aab8fd3b38
                                                • Instruction Fuzzy Hash: A00152B1D02A21DBEB71AF69840125EB360AF58B51B65411BE954AB382C7386941CFCE
                                                Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LocaleValid
                                                • String ID: IsValidLocaleName$j=D
                                                • API String ID: 1901932003-3128777819
                                                • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                                • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                                Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: H_prolog
                                                • String ID: T=G$T=G
                                                • API String ID: 3519838083-3732185208
                                                • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                                • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                                Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                  • Part of subcall function 00409B10: GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                  • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                  • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                  • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                  • Part of subcall function 00409B10: GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                  • Part of subcall function 00409B10: ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                  • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                  • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                • String ID: [AltL]$[AltR]
                                                • API String ID: 2738857842-2658077756
                                                • Opcode ID: 0fd097a0a4b99d70b02a08e9004214b89ee8ccd3163f9cf7526c1a47b2b50f16
                                                • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                • Opcode Fuzzy Hash: 0fd097a0a4b99d70b02a08e9004214b89ee8ccd3163f9cf7526c1a47b2b50f16
                                                • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 00448825
                                                  • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                  • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorFreeHeapLast_free
                                                • String ID: `@$`@
                                                • API String ID: 1353095263-20545824
                                                • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                                • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                                Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: State
                                                • String ID: [CtrlL]$[CtrlR]
                                                • API String ID: 1649606143-2446555240
                                                • Opcode ID: 8f256fbae12a6d1972e20e0d193ff0540306bf2bf736503aba8af0ee0077a29a
                                                • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                • Opcode Fuzzy Hash: 8f256fbae12a6d1972e20e0d193ff0540306bf2bf736503aba8af0ee0077a29a
                                                • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                                                • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                                                Strings
                                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DeleteOpenValue
                                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                • API String ID: 2654517830-1051519024
                                                • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                Function 0043AD08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00448763: DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046DCA8,00000010,0043AD15), ref: 004487C5
                                                  • Part of subcall function 00448763: _free.LIBCMT ref: 004487D3
                                                  • Part of subcall function 00448803: _free.LIBCMT ref: 00448825
                                                • DeleteCriticalSection.KERNEL32(006A4D08), ref: 0043AD31
                                                • _free.LIBCMT ref: 0043AD45
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$CriticalDeleteSection
                                                • String ID: (Mj
                                                • API String ID: 1906768660-565147460
                                                • Opcode ID: 105ba6d038f868bf5ead38a2174c8304849bb37afa14ec3855613d5ccb5e7185
                                                • Instruction ID: c0f14a4ae43bd4c9a132c894413e2ce2621f066976e8a01f329b24b3578183a2
                                                • Opcode Fuzzy Hash: 105ba6d038f868bf5ead38a2174c8304849bb37afa14ec3855613d5ccb5e7185
                                                • Instruction Fuzzy Hash: 3EE0D832C042108BF7247B5DFC469493398DB49725B13006EF81873171CA246CD1864D
                                                Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                                • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DeleteDirectoryFileRemove
                                                • String ID: pth_unenc
                                                • API String ID: 3325800564-4028850238
                                                • Opcode ID: 2e8d6704218f96b318e7a73bad0b28a6b8edcd2455483e95ffe0dafda84626ef
                                                • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                                • Opcode Fuzzy Hash: 2e8d6704218f96b318e7a73bad0b28a6b8edcd2455483e95ffe0dafda84626ef
                                                • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                                Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ObjectProcessSingleTerminateWait
                                                • String ID: pth_unenc
                                                • API String ID: 1872346434-4028850238
                                                • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                                • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                                Function 0044E0EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CommandLine
                                                • String ID: @)h
                                                • API String ID: 3253501508-2297700947
                                                • Opcode ID: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                                • Instruction ID: 13d69598d350970c9b91df73096b24a53109b9b907d0ea4b726438dfa3130670
                                                • Opcode Fuzzy Hash: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                                • Instruction Fuzzy Hash: 09B0027D8157009FC7419F79BD5D1443BA0B75861339094B5DC19C7B35DA358085EF18
                                                Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                                • GetLastError.KERNEL32 ref: 0043FB02
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.4774976226.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.4774961973.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775008475.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775028416.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.4775064186.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_1732341066786265aade6e9541774ff20509504237780da7874a65dc23bf44c6634c55.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide$ErrorLast
                                                • String ID:
                                                • API String ID: 1717984340-0
                                                • Opcode ID: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                                • Opcode Fuzzy Hash: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759