Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe

Overview

General Information

Sample name:1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe
Analysis ID:1430791
MD5:4cf8283349d416ede72e0d3775d23972
SHA1:1a9cf0bbae717aebabea0b6933ce67604ce91733
SHA256:15113629d65d474d78089e91ee269220b68fdcff8c4df46ea1da0af21cd559e3
Tags:base64-decodedexe
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "jimbb.ydns.eu:6991:1", "Assigned name": "JIMBO", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmcerytuyiuoio-2AOB3L", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
    1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x6aaa8:$a1: Remcos restarted by watchdog!
      • 0x6b020:$a3: %02i:%02i:%02i:%03i
      1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
      • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
      • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
      • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
      • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
      • 0x64b6c:$str_b2: Executing file:
      • 0x65bec:$str_b3: GetDirectListeningPort
      • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
      • 0x65718:$str_b7: \update.vbs
      • 0x64b94:$str_b9: Downloaded file:
      • 0x64b80:$str_b10: Downloading file:
      • 0x64c24:$str_b12: Failed to upload file:
      • 0x65bb4:$str_b13: StartForward
      • 0x65bd4:$str_b14: StopForward
      • 0x65670:$str_b15: fso.DeleteFile "
      • 0x65604:$str_b16: On Error Resume Next
      • 0x656a0:$str_b17: fso.DeleteFolder "
      • 0x64c14:$str_b18: Uploaded file:
      • 0x64bd4:$str_b19: Unable to delete:
      • 0x65638:$str_b20: while fso.FileExists("
      • 0x650b1:$str_c0: [Firefox StoredLogins not found]
      1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
      • 0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      • 0x6497c:$s1: CoGetObject
      • 0x64990:$s1: CoGetObject
      • 0x649ac:$s1: CoGetObject
      • 0x6e938:$s1: CoGetObject
      • 0x6493c:$s2: Elevation:Administrator!new:

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000002.3810962160.000000000232F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x134a8:$a1: Remcos restarted by watchdog!
              • 0x13a20:$a3: %02i:%02i:%02i:%03i
              00000000.00000000.1331015106.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                Click to see the 6 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  0.2.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    0.2.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x6aaa8:$a1: Remcos restarted by watchdog!
                    • 0x6b020:$a3: %02i:%02i:%02i:%03i
                    0.2.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x64afc:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x64b6c:$str_b2: Executing file:
                    • 0x65bec:$str_b3: GetDirectListeningPort
                    • 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x65718:$str_b7: \update.vbs
                    • 0x64b94:$str_b9: Downloaded file:
                    • 0x64b80:$str_b10: Downloading file:
                    • 0x64c24:$str_b12: Failed to upload file:
                    • 0x65bb4:$str_b13: StartForward
                    • 0x65bd4:$str_b14: StopForward
                    • 0x65670:$str_b15: fso.DeleteFile "
                    • 0x65604:$str_b16: On Error Resume Next
                    • 0x656a0:$str_b17: fso.DeleteFolder "
                    • 0x64c14:$str_b18: Uploaded file:
                    • 0x64bd4:$str_b19: Unable to delete:
                    • 0x65638:$str_b20: while fso.FileExists("
                    • 0x650b1:$str_c0: [Firefox StoredLogins not found]
                    0.2.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                    • 0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                    • 0x6497c:$s1: CoGetObject
                    • 0x64990:$s1: CoGetObject
                    • 0x649ac:$s1: CoGetObject
                    • 0x6e938:$s1: CoGetObject
                    • 0x6493c:$s2: Elevation:Administrator!new:
                    Click to see the 5 entries

                    Sigma Signatures

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, ProcessId: 7324, TargetFilename: C:\ProgramData\remcos\logs.dat

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
                    Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
                    Source: http://geoplugin.net/json.gp/CURL Reputation: Label: phishing
                    Found malware configuration
                    Source: 00000000.00000002.3810654995.00000000004BE000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "jimbb.ydns.eu:6991:1", "Assigned name": "JIMBO", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmcerytuyiuoio-2AOB3L", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                    Multi AV Scanner detection for submitted file
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeReversingLabs: Detection: 86%
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeVirustotal: Detection: 85%Perma Link
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.2.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.3810962160.000000000232F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1331015106.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3810654995.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe PID: 7324, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Machine Learning detection for sample
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_00433837
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_9565aca4-a

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.2.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1331015106.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe PID: 7324, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_004074FD _wcslen,CoGetObject,0_2_004074FD
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409253
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C291
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C34D
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409665
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0044E879 FindFirstFileExA,0_2_0044E879
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_0040880C
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0040783C FindFirstFileW,FindNextFileW,0_2_0040783C
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419AF5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB30
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD37
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407C97

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: jimbb.ydns.eu
                    Source: global trafficTCP traffic: 192.168.2.9:49706 -> 23.226.132.239:6991
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                    Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_0041B380
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: unknownDNS traffic detected: queries for: jimbb.ydns.eu
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000003.1371700815.0000000000523000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000003.1371859967.000000000054D000.00000004.00000020.00020000.00000000.sdmp, 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000003.1371700815.0000000000500000.00000004.00000020.00020000.00000000.sdmp, 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.000000000054E000.00000004.00000020.00020000.00000000.sdmp, 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.0000000000500000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000003.1371700815.0000000000500000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp4
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000003.1371700815.0000000000500000.00000004.00000020.00020000.00000000.sdmp, 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.0000000000500000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpD
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpF
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000003.1371700815.0000000000500000.00000004.00000020.00020000.00000000.sdmp, 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.0000000000500000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpK
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.00000000004BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000003.1371700815.0000000000500000.00000004.00000020.00020000.00000000.sdmp, 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.0000000000500000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpZ
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000003.1371700815.0000000000500000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,000000000_2_0040A2B8
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B70E
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004168C1
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B70E
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_0040A3E0

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.2.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.3810962160.000000000232F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1331015106.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3810654995.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe PID: 7324, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0041C9E2 SystemParametersInfoW,0_2_0041C9E2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.2.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.2.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0.2.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0.0.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0.0.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0.0.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000000.00000000.1331015106.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe PID: 7324, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_004132D2
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041BB09
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041BB35
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004167B4
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0043E0CC0_2_0043E0CC
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0041F0FA0_2_0041F0FA
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_004541590_2_00454159
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_004381680_2_00438168
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_004461F00_2_004461F0
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0043E2FB0_2_0043E2FB
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0045332B0_2_0045332B
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0042739D0_2_0042739D
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_004374E60_2_004374E6
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0043E5580_2_0043E558
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_004387700_2_00438770
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_004378FE0_2_004378FE
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_004339460_2_00433946
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0044D9C90_2_0044D9C9
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00427A460_2_00427A46
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0041DB620_2_0041DB62
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00427BAF0_2_00427BAF
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00437D330_2_00437D33
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00435E5E0_2_00435E5E
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00426E0E0_2_00426E0E
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0043DE9D0_2_0043DE9D
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00413FCA0_2_00413FCA
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00436FEA0_2_00436FEA
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: String function: 00434E10 appears 54 times
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: String function: 00402093 appears 50 times
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: String function: 00434770 appears 42 times
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: String function: 00401E65 appears 34 times
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.2.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.2.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0.2.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0.0.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0.0.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0.0.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000000.00000000.1331015106.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe PID: 7324, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/2@3/2
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00417952
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040F474
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041B4A8
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AA4A
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\json[1].jsonJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmcerytuyiuoio-2AOB3L
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: Software\0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: Exe0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: Exe0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: Inj0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: Inj0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: 8SG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: exepath0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: 8SG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: exepath0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: licence0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: dMG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: PG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: PSG0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: Administrator0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: User0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: del0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: del0_2_0040E9C5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCommand line argument: del0_2_0040E9C5
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeReversingLabs: Detection: 86%
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeVirustotal: Detection: 85%
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CB50
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00457106 push ecx; ret 0_2_00457119
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00457A28 push eax; ret 0_2_00457A46
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00434E56 push ecx; ret 0_2_00434E69
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00406EB0 ShellExecuteW,URLDownloadToFileW,0_2_00406EB0
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AA4A
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CB50
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Delayed program exit found
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0040F7A7 Sleep,ExitProcess,0_2_0040F7A7
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041A748
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeWindow / User API: threadDelayed 3825Jump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeWindow / User API: threadDelayed 5727Jump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeWindow / User API: foregroundWindowGot 1763Jump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe TID: 7352Thread sleep count: 188 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe TID: 7352Thread sleep time: -94000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe TID: 7356Thread sleep count: 3825 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe TID: 7356Thread sleep time: -11475000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe TID: 7356Thread sleep count: 5727 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe TID: 7356Thread sleep time: -17181000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409253
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C291
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C34D
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00409665
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0044E879 FindFirstFileExA,0_2_0044E879
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_0040880C
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0040783C FindFirstFileW,FindNextFileW,0_2_0040783C
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419AF5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB30
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD37
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407C97
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.00000000004BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000003.1371859967.0000000000544000.00000004.00000020.00020000.00000000.sdmp, 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.0000000000523000.00000004.00000020.00020000.00000000.sdmp, 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000003.1371700815.0000000000523000.00000004.00000020.00020000.00000000.sdmp, 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.0000000000544000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-48786
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004349F9
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CB50
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_004432B5 mov eax, dword ptr fs:[00000030h]0_2_004432B5
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00412077 GetProcessHeap,HeapFree,0_2_00412077
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004349F9
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00434B47 SetUnhandledExceptionFilter,0_2_00434B47
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043BB22
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434FDC
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_004120F7
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00419627 mouse_event,0_2_00419627
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerd
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager$
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerEM
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.00000000004BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagersInfow
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager.
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.0000000000523000.00000004.00000020.00020000.00000000.sdmp, 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000003.1371700815.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager)
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerx
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managernet/
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.0000000000500000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager;
                    Source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, logs.dat.0.drBinary or memory string: [Program Manager]
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00434C52 cpuid 0_2_00434C52
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040F8D1
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00452036
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_004520C3
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: GetLocaleInfoW,0_2_00452313
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00448404
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0045243C
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: GetLocaleInfoW,0_2_00452543
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00452610
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004488ED
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00451CD8
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00451F50
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00451F9B
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00404F51 GetLocalTime,CreateEventA,CreateThread,0_2_00404F51
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_0041B60D GetComputerNameExW,GetUserNameW,0_2_0041B60D
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: 0_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00449190
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.2.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.3810962160.000000000232F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1331015106.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3810654995.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe PID: 7324, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040BA12
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040BB30
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: \key3.db0_2_0040BB30

                    Remote Access Functionality

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.2.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.3810962160.000000000232F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1331015106.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.3810654995.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe PID: 7324, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Source: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exeCode function: cmd.exe0_2_0040569A

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts12
                    Command and Scripting Interpreter                    		1
                    Windows Service                    		1
                    Bypass User Account Control                    		2
                    Obfuscated Files or Information                    		211
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol211
                    Input Capture                    		2
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts2
                    Service Execution                    		Logon Script (Windows)1
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		2
                    Credentials In Files                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares3
                    Clipboard Data                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    Windows Service                    		1
                    Bypass User Account Control                    		NTDS2
                    File and Directory Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                    Process Injection                    		1
                    Masquerading                    		LSA Secrets23
                    System Information Discovery                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials21
                    Security Software Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Access Token Manipulation                    		DCSync1
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                    Process Injection                    		Proc Filesystem2
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe87%ReversingLabsWin32.Backdoor.Remcos
                    1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe86%VirustotalBrowse
                    1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                    1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    jimbb.ydns.eu2%VirustotalBrowse
                    geoplugin.net4%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://geoplugin.net/json.gp100%URL Reputationphishing
                    http://geoplugin.net/json.gp100%URL Reputationphishing
                    http://geoplugin.net/json.gp/C100%URL Reputationphishing
                    http://geoplugin.net/json.gp40%Avira URL Cloudsafe
                    http://geoplugin.net/0%Avira URL Cloudsafe
                    http://geoplugin.net/json.gpF0%Avira URL Cloudsafe
                    jimbb.ydns.eu0%Avira URL Cloudsafe
                    http://geoplugin.net/json.gpD0%Avira URL Cloudsafe
                    http://geoplugin.net/json.gpl0%Avira URL Cloudsafe
                    http://geoplugin.net/json.gpK0%Avira URL Cloudsafe
                    http://geoplugin.net/json.gpZ0%Avira URL Cloudsafe
                    http://geoplugin.net/json.gpSystem320%Avira URL Cloudsafe
                    jimbb.ydns.eu2%VirustotalBrowse
                    http://geoplugin.net/json.gp40%VirustotalBrowse
                    http://geoplugin.net/json.gpl0%VirustotalBrowse
                    http://geoplugin.net/4%VirustotalBrowse
                    http://geoplugin.net/json.gpD0%VirustotalBrowse
                    http://geoplugin.net/json.gpK0%VirustotalBrowse
                    http://geoplugin.net/json.gpF0%VirustotalBrowse
                    http://geoplugin.net/json.gpZ0%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    jimbb.ydns.eu
                    		23.226.132.239
                    		truetrueunknown
                    geoplugin.net
                    		178.237.33.50
                    		truefalseunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://geoplugin.net/json.gptrue
                    • URL Reputation: phishing
                    • URL Reputation: phishing
                    		unknown
                    jimbb.ydns.eutrue
                    • 2%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://geoplugin.net/json.gp41713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000003.1371700815.0000000000500000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://geoplugin.net/json.gpD1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000003.1371700815.0000000000500000.00000004.00000020.00020000.00000000.sdmp, 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.0000000000500000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://geoplugin.net/json.gpF1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.00000000004BE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://geoplugin.net/1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000003.1371700815.0000000000523000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 4%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://geoplugin.net/json.gp/C1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exetrue
                    • URL Reputation: phishing
                    		unknown
                    http://geoplugin.net/json.gpl1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000003.1371700815.0000000000500000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://geoplugin.net/json.gpK1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000003.1371700815.0000000000500000.00000004.00000020.00020000.00000000.sdmp, 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.0000000000500000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://geoplugin.net/json.gpZ1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000003.1371700815.0000000000500000.00000004.00000020.00020000.00000000.sdmp, 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.0000000000500000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://geoplugin.net/json.gpSystem321713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, 00000000.00000002.3810654995.00000000004BE000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    23.226.132.239
                    		jimbb.ydns.euUnited States
                    		8100ASN-QUADRANET-GLOBALUStrue
                    178.237.33.50
                    		geoplugin.netNetherlands
                    		8455ATOM86-ASATOM86NLfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1430791
                    Start date and time:2024-04-24 07:21:46 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 47s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:7
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe
                    Detection:MAL
                    Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/2@3/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 35
                    • Number of non-executed functions: 218
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240s for sample files taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    07:23:11API Interceptor7168795x Sleep call for process: 1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    178.237.33.50#U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                    • geoplugin.net/json.gp
                    TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp
                    DHL Express Courier Pickup Confirmation CBJ231025122456.exeGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp
                    Quotation.xlsGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp
                    BRUFEN ORDER VAC442_7467247728478134247.vbsGet hashmaliciousGuLoader, RemcosBrowse
                    • geoplugin.net/json.gp
                    copy_76499Kxls.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                    • geoplugin.net/json.gp
                    payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                    • geoplugin.net/json.gp
                    FINAL CMR.-Transportauftrag Nachlauf new.exeGet hashmaliciousGuLoader, RemcosBrowse
                    • geoplugin.net/json.gp
                    VdwJB2cS5l.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                    • geoplugin.net/json.gp
                    04172024121853atr reteks.exeGet hashmaliciousGuLoader, RemcosBrowse
                    • geoplugin.net/json.gp

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    geoplugin.net#U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                    • 178.237.33.50
                    HFiHWvPsvA.rtfGet hashmaliciousRemcos, DBatLoaderBrowse
                    • 178.237.33.50
                    TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    DHL Express Courier Pickup Confirmation CBJ231025122456.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    Quotation.xlsGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    BRUFEN ORDER VAC442_7467247728478134247.vbsGet hashmaliciousGuLoader, RemcosBrowse
                    • 178.237.33.50
                    copy_76499Kxls.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                    • 178.237.33.50
                    payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                    • 178.237.33.50
                    FINAL CMR.-Transportauftrag Nachlauf new.exeGet hashmaliciousGuLoader, RemcosBrowse
                    • 178.237.33.50
                    VdwJB2cS5l.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                    • 178.237.33.50

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    ATOM86-ASATOM86NL#U0421#U041f#U0426 #U2116130 #U043e#U0442 12.04.2024 #U043f#U043e#U0434#U043f#U0438#U0441..exeGet hashmaliciousGuLoader, RemcosBrowse
                    • 178.237.33.50
                    TcnD64eVFK.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    DHL Express Courier Pickup Confirmation CBJ231025122456.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    Quotation.xlsGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    BRUFEN ORDER VAC442_7467247728478134247.vbsGet hashmaliciousGuLoader, RemcosBrowse
                    • 178.237.33.50
                    copy_76499Kxls.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                    • 178.237.33.50
                    payment swift.xlsGet hashmaliciousRemcos, DBatLoaderBrowse
                    • 178.237.33.50
                    FINAL CMR.-Transportauftrag Nachlauf new.exeGet hashmaliciousGuLoader, RemcosBrowse
                    • 178.237.33.50
                    VdwJB2cS5l.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                    • 178.237.33.50
                    04172024121853atr reteks.exeGet hashmaliciousGuLoader, RemcosBrowse
                    • 178.237.33.50
                    ASN-QUADRANET-GLOBALUSDHL Express Courier Pickup Confirmation CBJ231025122456.exeGet hashmaliciousRemcosBrowse
                    • 64.188.18.137
                    BitTorrent-7.6.exeGet hashmaliciousUnknownBrowse
                    • 173.254.195.58
                    BitTorrent-7.6.exeGet hashmaliciousUnknownBrowse
                    • 173.254.195.58
                    https://www.wsj.pm/download.phpGet hashmaliciousNetSupport RATBrowse
                    • 185.174.102.62
                    AWB NO. 077-57676135.exeGet hashmaliciousAgentTeslaBrowse
                    • 64.188.2.244
                    hesaphareketi-01.pdf.SCR.exeGet hashmaliciousXWormBrowse
                    • 204.44.127.158
                    4XAsw9FSr5.elfGet hashmaliciousUnknownBrowse
                    • 72.11.146.60
                    Oo2yeTdq5J.elfGet hashmaliciousMiraiBrowse
                    • 104.129.21.203
                    SecuriteInfo.com.FileRepMalware.20155.16240.elfGet hashmaliciousGafgyt, MiraiBrowse
                    • 156.253.55.15
                    uTorrent.exeGet hashmaliciousUnknownBrowse
                    • 67.215.246.203

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\remcos\logs.dat

                    Download File
                    Process:C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):144
                    Entropy (8bit):3.349210161123417
                    Encrypted:false
                    SSDEEP:3:rhlKl+hNA+lTlCl55JWRal2Jl+7R0DAlBG45klovDl6v:6l+9lpCl55YcIeeDAlOWAv
                    MD5:2F73606F0E5563E208D273049C22BEBD
                    SHA1:2E297E83C682FDA8A1B430BA0D802D5CF2F61014
                    SHA-256:E361145E30509ECD0F4FFB35414829CD236185F013188D3F04E181102C2565A9
                    SHA-512:639ED816FA42311675A0ADC6516FABDB136A05F4AEFE5DF81BC791684976D53B004CD1203324560D74271232AF3EC9D3448AC13F16DED59E653F49D31B34AF0D
                    Malicious:true
                    Yara Hits:
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                    Reputation:low
                    Preview:....[.2.0.2.4./.0.4./.2.4. .0.7.:.2.2.:.3.6. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\json[1].json

                    Download File
                    Process:C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):965
                    Entropy (8bit):5.005233927773532
                    Encrypted:false
                    SSDEEP:12:tkbOnd66GkMyGWKyGXPVGArwY3o/IomaoHNmGNArpv/mOAaNO+ao9W7iN5zzkw7T:qbCdbauKyGX85jrvXhNlT3/7sYDsro
                    MD5:DA0FD37CC49697181AE27DA4C9D3C308
                    SHA1:A6555517791DFFC3DFD07C3A2467A957F90AA67C
                    SHA-256:540275576574073DDE26A8FABECB51D8A60343AE2EFE289628093D0B84430F19
                    SHA-512:D6E3EA3E4357FB1CF120405BEF882E4667F3D80A463C3FB8866F451CA55B2A78BF7EFF9F692814AFF436EE8DFD1073A5AD66D83DD7CA27CF2F78799F72B0F58F
                    Malicious:false
                    Reputation:low
                    Preview:{. "geoplugin_request":"154.16.105.36",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Las Vegas",. "geoplugin_region":"Nevada",. "geoplugin_regionCode":"NV",. "geoplugin_regionName":"Nevada",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"839",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"36.1685",. "geoplugin_longitude":"-115.1164",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Los_Angeles",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):6.599734035149821
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe
                    File size:494'592 bytes
                    MD5:4cf8283349d416ede72e0d3775d23972
                    SHA1:1a9cf0bbae717aebabea0b6933ce67604ce91733
                    SHA256:15113629d65d474d78089e91ee269220b68fdcff8c4df46ea1da0af21cd559e3
                    SHA512:1b7fa83f80002dec7084e48358a4c20169baede2d06e75285fde53782d7a4fbffba2c420513458b39c71d467a33e8fa493693449f5711f38e197bf1b10c7c41e
                    SSDEEP:6144:6XIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcN/5Gv:6X7tPMK8ctGe4Dzl4h2QnuPs/ZDqcv
                    TLSH:CDB49E01BAD1C072D57524300D3AF776EAB8BD2028364A7B73D61D5BFE31190B62A6B7
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-H..~H..~H..~.f$~[..~.f&~...~.f'~V..~A.Q~I..~.Z.~J..~....R..~....r..~....j..~A.F~Q..~H..~u..~....,..~..*~I..~....I..~RichH..

                    File Icon

                    Icon Hash:95694d05214c1b33

                    Static PE Info

                    General

                    Entrypoint:0x4349ef
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:TERMINAL_SERVER_AWARE
                    Time Stamp:0x65EC315B [Sat Mar 9 09:52:27 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:1
                    File Version Major:5
                    File Version Minor:1
                    Subsystem Version Major:5
                    Subsystem Version Minor:1
                    Import Hash:8d5087ff5de35c3fbb9f212b47d63cad

                    Entrypoint Preview

                    Instruction
                    call 00007FF4A891146Ch
                    jmp 00007FF4A8910E83h
                    push ebp
                    mov ebp, esp
                    sub esp, 00000324h
                    push ebx
                    push esi
                    push 00000017h
                    call 00007FF4A89336E4h
                    test eax, eax
                    je 00007FF4A8910FF7h
                    mov ecx, dword ptr [ebp+08h]
                    int 29h
                    xor esi, esi
                    lea eax, dword ptr [ebp-00000324h]
                    push 000002CCh
                    push esi
                    push eax
                    mov dword ptr [00471D14h], esi
                    call 00007FF4A8913457h
                    add esp, 0Ch
                    mov dword ptr [ebp-00000274h], eax
                    mov dword ptr [ebp-00000278h], ecx
                    mov dword ptr [ebp-0000027Ch], edx
                    mov dword ptr [ebp-00000280h], ebx
                    mov dword ptr [ebp-00000284h], esi
                    mov dword ptr [ebp-00000288h], edi
                    mov word ptr [ebp-0000025Ch], ss
                    mov word ptr [ebp-00000268h], cs
                    mov word ptr [ebp-0000028Ch], ds
                    mov word ptr [ebp-00000290h], es
                    mov word ptr [ebp-00000294h], fs
                    mov word ptr [ebp-00000298h], gs
                    pushfd
                    pop dword ptr [ebp-00000264h]
                    mov eax, dword ptr [ebp+04h]
                    mov dword ptr [ebp-0000026Ch], eax
                    lea eax, dword ptr [ebp+04h]
                    mov dword ptr [ebp-00000260h], eax
                    mov dword ptr [ebp-00000324h], 00010001h
                    mov eax, dword ptr [eax-04h]
                    push 00000050h
                    mov dword ptr [ebp-00000270h], eax
                    lea eax, dword ptr [ebp-58h]
                    push esi
                    push eax
                    call 00007FF4A89133CEh

                    Rich Headers

                    Programming Language:
                    • [C++] VS2008 SP1 build 30729
                    • [IMP] VS2008 SP1 build 30729

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x6eea80x104.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x790000x4b50.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000x3bcc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x6d3400x38.rdata
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x6d3d40x18.rdata
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6d3780x40.rdata
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x590000x4fc.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x571750x57200f959ed65f49a903603bc150bbb7292aaFalse0.571329694225251data6.62552167894442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rdata0x590000x179b60x17a00dd9ac1735f016f0a84955e5637da2aadFalse0.5005580357142857Zebra Metafile graphic (comment = \210\002\007)5.859387089901195IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x710000x5d440xe00fa1a169b9414830def88848af87110b5False0.22154017857142858data3.00580031855032IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .tls0x770000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .gfids0x780000x2300x40009e4699aa75951ab53e804fe4f9a3b6bFalse0.3271484375data2.349075166240886IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .rsrc0x790000x4b500x4c00ef6a9789097f98993a0e89b46fb14095False0.28402549342105265data3.9914464468439705IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x7e0000x3bcc0x3c000a6e61b09628beca43d4bf9604f65238False0.7639973958333334data6.718533933603825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_ICON0x7918c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                    RT_ICON0x795f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                    RT_ICON0x79f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                    RT_ICON0x7b0240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                    RT_RCDATA0x7d5cc0x541data1.00817843866171
                    RT_GROUP_ICON0x7db100x3edataEnglishUnited States0.8064516129032258

                    Imports

                    DLLImport
                    KERNEL32.dllFindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, TlsAlloc, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
                    USER32.dllGetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, GetMessageA, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, DispatchMessageA, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, GetIconInfo, GetSystemMetrics, AppendMenuA, RegisterClassExA, GetCursorPos, SetForegroundWindow, DrawIcon, SystemParametersInfoW
                    GDI32.dllBitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC
                    ADVAPI32.dllCryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
                    SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                    ole32.dllCoInitializeEx, CoUninitialize, CoGetObject
                    SHLWAPI.dllPathFileExistsW, PathFileExistsA, StrToIntA
                    WINMM.dllwaveInUnprepareHeader, waveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader
                    WS2_32.dllgethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket
                    urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                    gdiplus.dllGdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream
                    WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Apr 24, 2024 07:22:38.758505106 CEST497066991192.168.2.923.226.132.239
                    Apr 24, 2024 07:22:38.978455067 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:22:38.978713989 CEST497066991192.168.2.923.226.132.239
                    Apr 24, 2024 07:22:39.003158092 CEST497066991192.168.2.923.226.132.239
                    Apr 24, 2024 07:22:39.233458996 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:22:39.276804924 CEST497066991192.168.2.923.226.132.239
                    Apr 24, 2024 07:22:39.496854067 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:22:39.501512051 CEST497066991192.168.2.923.226.132.239
                    Apr 24, 2024 07:22:39.767805099 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:22:39.767961979 CEST497066991192.168.2.923.226.132.239
                    Apr 24, 2024 07:22:40.033251047 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:22:40.190583944 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:22:40.192167044 CEST497066991192.168.2.923.226.132.239
                    Apr 24, 2024 07:22:40.412306070 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:22:40.464127064 CEST497066991192.168.2.923.226.132.239
                    Apr 24, 2024 07:22:41.036719084 CEST4970780192.168.2.9178.237.33.50
                    Apr 24, 2024 07:22:41.344705105 CEST8049707178.237.33.50192.168.2.9
                    Apr 24, 2024 07:22:41.344794989 CEST4970780192.168.2.9178.237.33.50
                    Apr 24, 2024 07:22:41.345001936 CEST4970780192.168.2.9178.237.33.50
                    Apr 24, 2024 07:22:41.657533884 CEST8049707178.237.33.50192.168.2.9
                    Apr 24, 2024 07:22:41.657623053 CEST4970780192.168.2.9178.237.33.50
                    Apr 24, 2024 07:22:41.692205906 CEST497066991192.168.2.923.226.132.239
                    Apr 24, 2024 07:22:41.970710039 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:22:42.657156944 CEST8049707178.237.33.50192.168.2.9
                    Apr 24, 2024 07:22:42.657218933 CEST4970780192.168.2.9178.237.33.50
                    Apr 24, 2024 07:22:54.589349985 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:22:54.590765953 CEST497066991192.168.2.923.226.132.239
                    Apr 24, 2024 07:22:54.861910105 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:23:24.590679884 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:23:24.592942953 CEST497066991192.168.2.923.226.132.239
                    Apr 24, 2024 07:23:24.876950026 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:23:54.591311932 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:23:54.592864037 CEST497066991192.168.2.923.226.132.239
                    Apr 24, 2024 07:23:54.877140999 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:24:24.605391979 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:24:24.607155085 CEST497066991192.168.2.923.226.132.239
                    Apr 24, 2024 07:24:24.876970053 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:24:30.855143070 CEST4970780192.168.2.9178.237.33.50
                    Apr 24, 2024 07:24:31.776834011 CEST4970780192.168.2.9178.237.33.50
                    Apr 24, 2024 07:24:33.386099100 CEST4970780192.168.2.9178.237.33.50
                    Apr 24, 2024 07:24:36.429549932 CEST4970780192.168.2.9178.237.33.50
                    Apr 24, 2024 07:24:42.592772007 CEST4970780192.168.2.9178.237.33.50
                    Apr 24, 2024 07:24:54.607965946 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:24:54.610013962 CEST497066991192.168.2.923.226.132.239
                    Apr 24, 2024 07:24:54.738368988 CEST4970780192.168.2.9178.237.33.50
                    Apr 24, 2024 07:24:54.876857042 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:25:19.089200020 CEST4970780192.168.2.9178.237.33.50
                    Apr 24, 2024 07:25:24.608380079 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:25:24.632635117 CEST497066991192.168.2.923.226.132.239
                    Apr 24, 2024 07:25:24.908328056 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:25:54.621606112 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:25:54.626179934 CEST497066991192.168.2.923.226.132.239
                    Apr 24, 2024 07:25:54.908251047 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:26:24.636183023 CEST69914970623.226.132.239192.168.2.9
                    Apr 24, 2024 07:26:24.638171911 CEST497066991192.168.2.923.226.132.239
                    Apr 24, 2024 07:26:24.908154964 CEST69914970623.226.132.239192.168.2.9

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Apr 24, 2024 07:22:37.654803991 CEST5913053192.168.2.91.1.1.1
                    Apr 24, 2024 07:22:38.651674986 CEST5913053192.168.2.91.1.1.1
                    Apr 24, 2024 07:22:38.729048014 CEST53591301.1.1.1192.168.2.9
                    Apr 24, 2024 07:22:38.805634975 CEST53591301.1.1.1192.168.2.9
                    Apr 24, 2024 07:22:40.878376007 CEST6045453192.168.2.91.1.1.1
                    Apr 24, 2024 07:22:41.032845020 CEST53604541.1.1.1192.168.2.9

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Apr 24, 2024 07:22:37.654803991 CEST192.168.2.91.1.1.10xd659Standard query (0)jimbb.ydns.euA (IP address)IN (0x0001)false
                    Apr 24, 2024 07:22:38.651674986 CEST192.168.2.91.1.1.10xd659Standard query (0)jimbb.ydns.euA (IP address)IN (0x0001)false
                    Apr 24, 2024 07:22:40.878376007 CEST192.168.2.91.1.1.10xda52Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Apr 24, 2024 07:22:38.729048014 CEST1.1.1.1192.168.2.90xd659No error (0)jimbb.ydns.eu23.226.132.239A (IP address)IN (0x0001)false
                    Apr 24, 2024 07:22:38.805634975 CEST1.1.1.1192.168.2.90xd659No error (0)jimbb.ydns.eu23.226.132.239A (IP address)IN (0x0001)false
                    Apr 24, 2024 07:22:41.032845020 CEST1.1.1.1192.168.2.90xda52No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • geoplugin.net

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.949707178.237.33.50807324C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe
                    TimestampBytes transferredDirectionData
                    Apr 24, 2024 07:22:41.345001936 CEST71OUTGET /json.gp HTTP/1.1
                    Host: geoplugin.net
                    Cache-Control: no-cache
                    Apr 24, 2024 07:22:41.657533884 CEST1173INHTTP/1.1 200 OK
                    date: Wed, 24 Apr 2024 05:22:41 GMT
                    server: Apache
                    content-length: 965
                    content-type: application/json; charset=utf-8
                    cache-control: public, max-age=300
                    access-control-allow-origin: *
                    Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4c 61 73 20 56 65 67 61 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 76 61 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 4e 56 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 76 61 64 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 38 33 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 33 36 2e 31 36 38 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 31 31 35 2e 31 31 36 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4c 6f 73 5f 41 6e 67 65 6c 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 0a 7d
                    Data Ascii: { "geoplugin_request":"154.16.105.36", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Las Vegas", "geoplugin_region":"Nevada", "geoplugin_regionCode":"NV", "geoplugin_regionName":"Nevada", "geoplugin_areaCode":"", "geoplugin_dmaCode":"839", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"36.1685", "geoplugin_longitude":"-115.1164", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Los_Angeles", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    System Behavior

                    General

                    Target ID:0
                    Start time:07:22:36
                    Start date:24/04/2024
                    Path:C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe"
                    Imagebase:0x400000
                    File size:494'592 bytes
                    MD5 hash:4CF8283349D416EDE72E0D3775D23972
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.3810962160.000000000232F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.1331015106.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.1331015106.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.1331015106.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.3810654995.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:false

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:4.1%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:22%
                      Total number of Nodes:1350
                      Total number of Limit Nodes:56
                      execution_graph 47157 434887 47158 434893 CallCatchBlock 47157->47158 47184 434596 47158->47184 47160 43489a 47162 4348c3 47160->47162 47482 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 47160->47482 47171 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47162->47171 47483 444251 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 47162->47483 47164 4348dc 47166 4348e2 CallCatchBlock 47164->47166 47484 4441f5 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 47164->47484 47167 434962 47195 434b14 47167->47195 47171->47167 47485 4433e7 36 API calls 6 library calls 47171->47485 47177 434984 47178 43498e 47177->47178 47487 44341f 28 API calls _Atexit 47177->47487 47180 434997 47178->47180 47488 4433c2 28 API calls _Atexit 47178->47488 47489 43470d 13 API calls 2 library calls 47180->47489 47183 43499f 47183->47166 47185 43459f 47184->47185 47490 434c52 IsProcessorFeaturePresent 47185->47490 47187 4345ab 47491 438f31 10 API calls 4 library calls 47187->47491 47189 4345b0 47194 4345b4 47189->47194 47492 4440bf IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47189->47492 47191 4345bd 47192 4345cb 47191->47192 47493 438f5a 8 API calls 3 library calls 47191->47493 47192->47160 47194->47160 47494 436e90 47195->47494 47198 434968 47199 4441a2 47198->47199 47496 44f059 47199->47496 47201 4441ab 47202 434971 47201->47202 47500 446815 36 API calls 47201->47500 47204 40e9c5 47202->47204 47502 41cb50 LoadLibraryA GetProcAddress 47204->47502 47206 40e9e1 GetModuleFileNameW 47507 40f3c3 47206->47507 47208 40e9fd 47522 4020f6 47208->47522 47211 4020f6 28 API calls 47212 40ea1b 47211->47212 47528 41be1b 47212->47528 47216 40ea2d 47554 401e8d 47216->47554 47218 40ea36 47219 40ea93 47218->47219 47220 40ea49 47218->47220 47560 401e65 47219->47560 47828 40fbb3 118 API calls 47220->47828 47223 40eaa3 47227 401e65 22 API calls 47223->47227 47224 40ea5b 47225 401e65 22 API calls 47224->47225 47226 40ea67 47225->47226 47829 410f37 36 API calls __EH_prolog 47226->47829 47228 40eac2 47227->47228 47565 40531e 47228->47565 47231 40ead1 47570 406383 47231->47570 47232 40ea79 47830 40fb64 78 API calls 47232->47830 47236 40ea82 47831 40f3b0 71 API calls 47236->47831 47242 401fd8 11 API calls 47244 40eefb 47242->47244 47243 401fd8 11 API calls 47245 40eafb 47243->47245 47486 4432f6 GetModuleHandleW 47244->47486 47246 401e65 22 API calls 47245->47246 47247 40eb04 47246->47247 47587 401fc0 47247->47587 47249 40eb0f 47250 401e65 22 API calls 47249->47250 47251 40eb28 47250->47251 47252 401e65 22 API calls 47251->47252 47253 40eb43 47252->47253 47254 40ebae 47253->47254 47832 406c1e 47253->47832 47255 401e65 22 API calls 47254->47255 47262 40ebbb 47255->47262 47257 40eb70 47258 401fe2 28 API calls 47257->47258 47259 40eb7c 47258->47259 47260 401fd8 11 API calls 47259->47260 47263 40eb85 47260->47263 47261 40ec02 47591 40d069 47261->47591 47262->47261 47266 413549 3 API calls 47262->47266 47837 413549 RegOpenKeyExA 47263->47837 47265 40ec08 47267 40ea8b 47265->47267 47594 41b2c3 47265->47594 47273 40ebe6 47266->47273 47267->47242 47271 40ec23 47274 40ec76 47271->47274 47611 407716 47271->47611 47272 40f34f 47915 4139a9 30 API calls 47272->47915 47273->47261 47840 4139a9 30 API calls 47273->47840 47276 401e65 22 API calls 47274->47276 47279 40ec7f 47276->47279 47288 40ec90 47279->47288 47289 40ec8b 47279->47289 47281 40f365 47916 412475 65 API calls ___scrt_get_show_window_mode 47281->47916 47282 40ec42 47841 407738 30 API calls 47282->47841 47283 40ec4c 47286 401e65 22 API calls 47283->47286 47297 40ec55 47286->47297 47287 40f36f 47291 41bc5e 28 API calls 47287->47291 47295 401e65 22 API calls 47288->47295 47844 407755 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 47289->47844 47290 40ec47 47842 407260 98 API calls 47290->47842 47292 40f37f 47291->47292 47720 413a23 RegOpenKeyExW 47292->47720 47296 40ec99 47295->47296 47615 41bc5e 47296->47615 47297->47274 47302 40ec71 47297->47302 47299 40eca4 47619 401f13 47299->47619 47843 407260 98 API calls 47302->47843 47306 401f09 11 API calls 47308 40f39c 47306->47308 47310 401f09 11 API calls 47308->47310 47312 40f3a5 47310->47312 47311 401e65 22 API calls 47313 40ecc1 47311->47313 47723 40dd42 47312->47723 47317 401e65 22 API calls 47313->47317 47319 40ecdb 47317->47319 47318 40f3af 47320 401e65 22 API calls 47319->47320 47321 40ecf5 47320->47321 47322 401e65 22 API calls 47321->47322 47323 40ed0e 47322->47323 47324 401e65 22 API calls 47323->47324 47355 40ed7b 47323->47355 47329 40ed23 _wcslen 47324->47329 47325 40ed8a 47326 40ed93 47325->47326 47340 40ee0f ___scrt_get_show_window_mode 47325->47340 47327 401e65 22 API calls 47326->47327 47328 40ed9c 47327->47328 47330 401e65 22 API calls 47328->47330 47333 401e65 22 API calls 47329->47333 47329->47355 47332 40edae 47330->47332 47331 40ef06 ___scrt_get_show_window_mode 47905 4136f8 RegOpenKeyExA 47331->47905 47336 401e65 22 API calls 47332->47336 47334 40ed3e 47333->47334 47337 401e65 22 API calls 47334->47337 47338 40edc0 47336->47338 47339 40ed53 47337->47339 47342 401e65 22 API calls 47338->47342 47845 40da34 47339->47845 47631 413947 47340->47631 47341 40ef51 47343 401e65 22 API calls 47341->47343 47346 40ede9 47342->47346 47347 40ef76 47343->47347 47351 401e65 22 API calls 47346->47351 47641 402093 47347->47641 47348 401f13 28 API calls 47350 40ed72 47348->47350 47353 401f09 11 API calls 47350->47353 47354 40edfa 47351->47354 47352 40ef88 47647 41376f RegCreateKeyA 47352->47647 47353->47355 47903 40cdf9 46 API calls _wcslen 47354->47903 47355->47325 47355->47331 47359 40ee0a 47359->47340 47361 40eea3 ctype 47364 401e65 22 API calls 47361->47364 47362 401e65 22 API calls 47363 40efaa 47362->47363 47653 43baac 47363->47653 47365 40eeba 47364->47365 47365->47341 47368 40eece 47365->47368 47371 401e65 22 API calls 47368->47371 47369 40efc1 47908 41cd9b 88 API calls ___scrt_get_show_window_mode 47369->47908 47370 40efe4 47375 402093 28 API calls 47370->47375 47373 40eed7 47371->47373 47376 41bc5e 28 API calls 47373->47376 47374 40efc8 CreateThread 47374->47370 48791 41d45d 10 API calls 47374->48791 47377 40eff9 47375->47377 47378 40eee3 47376->47378 47379 402093 28 API calls 47377->47379 47904 40f474 107 API calls 47378->47904 47381 40f008 47379->47381 47657 41b4ef 47381->47657 47382 40eee8 47382->47341 47384 40eeef 47382->47384 47384->47267 47386 401e65 22 API calls 47387 40f019 47386->47387 47388 401e65 22 API calls 47387->47388 47389 40f02b 47388->47389 47390 401e65 22 API calls 47389->47390 47391 40f04b 47390->47391 47392 43baac _strftime 40 API calls 47391->47392 47393 40f058 47392->47393 47394 401e65 22 API calls 47393->47394 47395 40f063 47394->47395 47396 401e65 22 API calls 47395->47396 47397 40f074 47396->47397 47398 401e65 22 API calls 47397->47398 47399 40f089 47398->47399 47400 401e65 22 API calls 47399->47400 47401 40f09a 47400->47401 47402 40f0a1 StrToIntA 47401->47402 47681 409de4 47402->47681 47405 401e65 22 API calls 47406 40f0bc 47405->47406 47407 40f101 47406->47407 47408 40f0c8 47406->47408 47411 401e65 22 API calls 47407->47411 47909 4344ea 22 API calls 2 library calls 47408->47909 47410 40f0d1 47412 401e65 22 API calls 47410->47412 47413 40f111 47411->47413 47414 40f0e4 47412->47414 47416 40f159 47413->47416 47417 40f11d 47413->47417 47415 40f0eb CreateThread 47414->47415 47415->47407 48789 419fb4 110 API calls 2 library calls 47415->48789 47418 401e65 22 API calls 47416->47418 47910 4344ea 22 API calls 2 library calls 47417->47910 47420 40f162 47418->47420 47424 40f1cc 47420->47424 47425 40f16e 47420->47425 47421 40f126 47422 401e65 22 API calls 47421->47422 47423 40f138 47422->47423 47426 40f13f CreateThread 47423->47426 47427 401e65 22 API calls 47424->47427 47428 401e65 22 API calls 47425->47428 47426->47416 48788 419fb4 110 API calls 2 library calls 47426->48788 47429 40f1d5 47427->47429 47430 40f17e 47428->47430 47431 40f1e1 47429->47431 47432 40f21a 47429->47432 47433 401e65 22 API calls 47430->47433 47435 401e65 22 API calls 47431->47435 47706 41b60d GetComputerNameExW GetUserNameW 47432->47706 47436 40f193 47433->47436 47438 40f1ea 47435->47438 47911 40d9e8 32 API calls 47436->47911 47442 401e65 22 API calls 47438->47442 47439 401f13 28 API calls 47441 40f22e 47439->47441 47444 401f09 11 API calls 47441->47444 47445 40f1ff 47442->47445 47443 40f1a6 47446 401f13 28 API calls 47443->47446 47447 40f237 47444->47447 47456 43baac _strftime 40 API calls 47445->47456 47450 40f1b2 47446->47450 47448 40f240 SetProcessDEPPolicy 47447->47448 47449 40f243 CreateThread 47447->47449 47448->47449 47451 40f264 47449->47451 47452 40f258 CreateThread 47449->47452 48760 40f7a7 47449->48760 47453 401f09 11 API calls 47450->47453 47454 40f279 47451->47454 47455 40f26d CreateThread 47451->47455 47452->47451 48790 4120f7 139 API calls 47452->48790 47457 40f1bb CreateThread 47453->47457 47459 40f2cc 47454->47459 47461 402093 28 API calls 47454->47461 47455->47454 48792 4126db 38 API calls ___scrt_get_show_window_mode 47455->48792 47458 40f20c 47456->47458 47457->47424 48787 401be9 50 API calls _strftime 47457->48787 47912 40c162 7 API calls 47458->47912 47717 4134ff RegOpenKeyExA 47459->47717 47462 40f29c 47461->47462 47913 4052fd 28 API calls 47462->47913 47467 40f2ed 47469 41bc5e 28 API calls 47467->47469 47472 40f2fd 47469->47472 47914 41361b 31 API calls 47472->47914 47476 40f313 47477 401f09 11 API calls 47476->47477 47480 40f31e 47477->47480 47478 40f346 DeleteFileW 47479 40f34d 47478->47479 47478->47480 47479->47287 47480->47287 47480->47478 47481 40f334 Sleep 47480->47481 47481->47480 47482->47160 47483->47164 47484->47171 47485->47167 47486->47177 47487->47178 47488->47180 47489->47183 47490->47187 47491->47189 47492->47191 47493->47194 47495 434b27 GetStartupInfoW 47494->47495 47495->47198 47497 44f06b 47496->47497 47498 44f062 47496->47498 47497->47201 47501 44ef58 49 API calls 5 library calls 47498->47501 47500->47201 47501->47497 47503 41cb8f LoadLibraryA GetProcAddress 47502->47503 47504 41cb7f GetModuleHandleA GetProcAddress 47502->47504 47505 41cbb8 44 API calls 47503->47505 47506 41cba8 LoadLibraryA GetProcAddress 47503->47506 47504->47503 47505->47206 47506->47505 47917 41b4a8 FindResourceA 47507->47917 47511 40f3ed ctype 47927 4020b7 47511->47927 47514 401fe2 28 API calls 47515 40f413 47514->47515 47516 401fd8 11 API calls 47515->47516 47517 40f41c 47516->47517 47518 43bd51 new 21 API calls 47517->47518 47519 40f42d ctype 47518->47519 47933 406dd8 47519->47933 47521 40f460 47521->47208 47523 40210c 47522->47523 47524 4023ce 11 API calls 47523->47524 47525 402126 47524->47525 47526 402569 28 API calls 47525->47526 47527 402134 47526->47527 47527->47211 47970 4020df 47528->47970 47530 41be9e 47531 401fd8 11 API calls 47530->47531 47532 41bed0 47531->47532 47534 401fd8 11 API calls 47532->47534 47533 41bea0 47535 4041a2 28 API calls 47533->47535 47537 41bed8 47534->47537 47538 41beac 47535->47538 47539 401fd8 11 API calls 47537->47539 47540 401fe2 28 API calls 47538->47540 47542 40ea24 47539->47542 47543 41beb5 47540->47543 47541 401fe2 28 API calls 47549 41be2e 47541->47549 47550 40fb17 47542->47550 47544 401fd8 11 API calls 47543->47544 47546 41bebd 47544->47546 47545 401fd8 11 API calls 47545->47549 47978 41ce34 28 API calls 47546->47978 47549->47530 47549->47533 47549->47541 47549->47545 47974 4041a2 47549->47974 47977 41ce34 28 API calls 47549->47977 47551 40fb23 47550->47551 47553 40fb2a 47550->47553 47985 402163 11 API calls 47551->47985 47553->47216 47555 402163 47554->47555 47559 40219f 47555->47559 47986 402730 11 API calls 47555->47986 47557 402184 47987 402712 11 API calls std::_Deallocate 47557->47987 47559->47218 47561 401e6d 47560->47561 47562 401e75 47561->47562 47988 402158 22 API calls 47561->47988 47562->47223 47566 4020df 11 API calls 47565->47566 47567 40532a 47566->47567 47989 4032a0 47567->47989 47569 405346 47569->47231 47994 4051ef 47570->47994 47572 406391 47998 402055 47572->47998 47575 401fe2 47576 401ff1 47575->47576 47583 402039 47575->47583 47577 4023ce 11 API calls 47576->47577 47578 401ffa 47577->47578 47579 402015 47578->47579 47580 40203c 47578->47580 48032 403098 28 API calls 47579->48032 47581 40267a 11 API calls 47580->47581 47581->47583 47584 401fd8 47583->47584 47585 4023ce 11 API calls 47584->47585 47586 401fe1 47585->47586 47586->47243 47588 401fd2 47587->47588 47589 401fc9 47587->47589 47588->47249 48033 4025e0 28 API calls 47589->48033 48034 401fab 47591->48034 47593 40d073 CreateMutexA GetLastError 47593->47265 48035 41bfb7 47594->48035 47599 401fe2 28 API calls 47600 41b2ff 47599->47600 47601 401fd8 11 API calls 47600->47601 47602 41b307 47601->47602 47603 4135a6 31 API calls 47602->47603 47604 41b35d 47602->47604 47605 41b330 47603->47605 47604->47271 47606 41b33b StrToIntA 47605->47606 47607 41b352 47606->47607 47608 41b349 47606->47608 47609 401fd8 11 API calls 47607->47609 48044 41cf69 22 API calls 47608->48044 47609->47604 47612 40772a 47611->47612 47613 413549 3 API calls 47612->47613 47614 407731 47613->47614 47614->47282 47614->47283 47616 41bc72 47615->47616 48045 40b904 47616->48045 47618 41bc7a 47618->47299 47620 401f22 47619->47620 47627 401f6a 47619->47627 47621 402252 11 API calls 47620->47621 47622 401f2b 47621->47622 47623 401f6d 47622->47623 47625 401f46 47622->47625 48078 402336 47623->48078 48077 40305c 28 API calls 47625->48077 47628 401f09 47627->47628 47629 402252 11 API calls 47628->47629 47630 401f12 47629->47630 47630->47311 47632 413965 47631->47632 47633 406dd8 28 API calls 47632->47633 47634 41397a 47633->47634 47635 4020f6 28 API calls 47634->47635 47636 41398a 47635->47636 47637 41376f 14 API calls 47636->47637 47638 413994 47637->47638 47639 401fd8 11 API calls 47638->47639 47640 4139a1 47639->47640 47640->47361 47642 40209b 47641->47642 47643 4023ce 11 API calls 47642->47643 47644 4020a6 47643->47644 48082 4024ed 47644->48082 47648 413788 47647->47648 47649 4137bf 47647->47649 47652 41379a RegSetValueExA RegCloseKey 47648->47652 47650 401fd8 11 API calls 47649->47650 47651 40ef9e 47650->47651 47651->47362 47652->47649 47654 43bac5 _strftime 47653->47654 48086 43ae03 47654->48086 47656 40efb7 47656->47369 47656->47370 47658 41b5a0 47657->47658 47659 41b505 GetLocalTime 47657->47659 47661 401fd8 11 API calls 47658->47661 47660 40531e 28 API calls 47659->47660 47662 41b547 47660->47662 47663 41b5a8 47661->47663 47664 406383 28 API calls 47662->47664 47665 401fd8 11 API calls 47663->47665 47666 41b553 47664->47666 47667 40f00d 47665->47667 48114 402f10 47666->48114 47667->47386 47670 406383 28 API calls 47671 41b56b 47670->47671 48119 407200 77 API calls 47671->48119 47673 41b579 47674 401fd8 11 API calls 47673->47674 47675 41b585 47674->47675 47676 401fd8 11 API calls 47675->47676 47677 41b58e 47676->47677 47678 401fd8 11 API calls 47677->47678 47679 41b597 47678->47679 47680 401fd8 11 API calls 47679->47680 47680->47658 47682 409e02 _wcslen 47681->47682 47683 409e24 47682->47683 47684 409e0d 47682->47684 47685 40da34 32 API calls 47683->47685 47686 40da34 32 API calls 47684->47686 47687 409e2c 47685->47687 47688 409e15 47686->47688 47689 401f13 28 API calls 47687->47689 47690 401f13 28 API calls 47688->47690 47691 409e3a 47689->47691 47705 409e1f 47690->47705 47692 401f09 11 API calls 47691->47692 47694 409e42 47692->47694 47693 401f09 11 API calls 47695 409e79 47693->47695 48138 40915b 28 API calls 47694->48138 48123 40a109 47695->48123 47698 409e54 48139 403014 47698->48139 47702 401f13 28 API calls 47703 409e69 47702->47703 47704 401f09 11 API calls 47703->47704 47704->47705 47705->47693 48342 40417e 47706->48342 47711 403014 28 API calls 47712 41b672 47711->47712 47713 401f09 11 API calls 47712->47713 47714 41b67b 47713->47714 47715 401f09 11 API calls 47714->47715 47716 40f223 47715->47716 47716->47439 47718 413520 RegQueryValueExA RegCloseKey 47717->47718 47719 40f2e4 47717->47719 47718->47719 47719->47312 47719->47467 47721 40f392 47720->47721 47722 413a3f RegDeleteValueW 47720->47722 47721->47306 47722->47721 47724 40dd5b 47723->47724 47725 4134ff 3 API calls 47724->47725 47726 40dd62 47725->47726 47727 40dd81 47726->47727 48436 401707 47726->48436 47731 414f2a 47727->47731 47729 40dd6f 48439 413877 RegCreateKeyA 47729->48439 47732 4020df 11 API calls 47731->47732 47733 414f3e 47732->47733 48453 41b8b3 47733->48453 47736 4020df 11 API calls 47737 414f54 47736->47737 47738 401e65 22 API calls 47737->47738 47739 414f62 47738->47739 47740 43baac _strftime 40 API calls 47739->47740 47741 414f6f 47740->47741 47742 414f81 47741->47742 47743 414f74 Sleep 47741->47743 47744 402093 28 API calls 47742->47744 47743->47742 47745 414f90 47744->47745 47746 401e65 22 API calls 47745->47746 47747 414f99 47746->47747 47748 4020f6 28 API calls 47747->47748 47749 414fa4 47748->47749 47750 41be1b 28 API calls 47749->47750 47751 414fac 47750->47751 48457 40489e WSAStartup 47751->48457 47753 414fb6 47754 401e65 22 API calls 47753->47754 47755 414fbf 47754->47755 47756 401e65 22 API calls 47755->47756 47804 41503e 47755->47804 47757 414fd8 47756->47757 47759 401e65 22 API calls 47757->47759 47758 4020f6 28 API calls 47758->47804 47760 414fe9 47759->47760 47762 401e65 22 API calls 47760->47762 47761 41be1b 28 API calls 47761->47804 47763 414ffa 47762->47763 47765 401e65 22 API calls 47763->47765 47764 406c1e 28 API calls 47764->47804 47766 41500b 47765->47766 47767 401e65 22 API calls 47766->47767 47769 41501c 47767->47769 47768 401fe2 28 API calls 47768->47804 47771 401e65 22 API calls 47769->47771 47770 401fd8 11 API calls 47770->47804 47772 41502e 47771->47772 48593 40473d 89 API calls 47772->48593 47774 40531e 28 API calls 47774->47804 47775 406383 28 API calls 47775->47804 47776 401e65 22 API calls 47776->47804 47778 41518c WSAGetLastError 48594 41cae1 30 API calls 47778->48594 47782 402093 28 API calls 47784 41519c 47782->47784 47784->47782 47787 401e8d 11 API calls 47784->47787 47788 401e65 22 API calls 47784->47788 47789 43baac _strftime 40 API calls 47784->47789 47784->47804 47824 41b4ef 80 API calls 47784->47824 47825 415a71 CreateThread 47784->47825 47826 401fd8 11 API calls 47784->47826 47827 401f09 11 API calls 47784->47827 48595 4052fd 28 API calls 47784->48595 48597 40b051 85 API calls 47784->48597 48598 404e26 99 API calls 47784->48598 47787->47784 47788->47784 47790 415acf Sleep 47789->47790 47790->47784 47791 402f10 28 API calls 47791->47804 47792 402093 28 API calls 47792->47804 47793 41b4ef 80 API calls 47793->47804 47796 40905c 28 API calls 47796->47804 47797 441e81 20 API calls 47797->47804 47798 4136f8 3 API calls 47798->47804 47799 4135a6 31 API calls 47799->47804 47800 40417e 28 API calls 47800->47804 47804->47758 47804->47761 47804->47764 47804->47768 47804->47770 47804->47774 47804->47775 47804->47776 47804->47778 47804->47784 47804->47791 47804->47792 47804->47793 47804->47796 47804->47797 47804->47798 47804->47799 47804->47800 47805 41bb8e 28 API calls 47804->47805 47806 401e65 22 API calls 47804->47806 48458 414ee9 47804->48458 48463 40482d 47804->48463 48470 404f51 47804->48470 48485 4048c8 connect 47804->48485 48545 41b7e0 47804->48545 48548 4145bd 47804->48548 48551 40dd89 47804->48551 48557 41bc42 47804->48557 48560 41bd1e 47804->48560 47805->47804 47807 415439 GetTickCount 47806->47807 47808 41bb8e 28 API calls 47807->47808 47819 415456 47808->47819 47810 41bb8e 28 API calls 47810->47819 47812 41bd1e 28 API calls 47812->47819 47815 406383 28 API calls 47815->47819 47816 402f10 28 API calls 47816->47819 47817 402ea1 28 API calls 47817->47819 47819->47810 47819->47812 47819->47815 47819->47816 47819->47817 47820 401fd8 11 API calls 47819->47820 47821 401f09 11 API calls 47819->47821 48564 41bae6 GetLastInputInfo GetTickCount 47819->48564 48565 41ba96 47819->48565 48570 40f8d1 GetLocaleInfoA 47819->48570 48573 402f31 28 API calls 47819->48573 48574 404c10 47819->48574 48596 404aa1 61 API calls ctype 47819->48596 47820->47819 47821->47819 47824->47784 47825->47784 48753 41ad17 106 API calls 47825->48753 47826->47784 47827->47784 47828->47224 47829->47232 47830->47236 47833 4020df 11 API calls 47832->47833 47834 406c2a 47833->47834 47835 4032a0 28 API calls 47834->47835 47836 406c47 47835->47836 47836->47257 47838 413573 RegQueryValueExA RegCloseKey 47837->47838 47839 40eba4 47837->47839 47838->47839 47839->47254 47839->47272 47840->47261 47841->47290 47842->47283 47843->47274 47844->47288 47846 401f86 11 API calls 47845->47846 47847 40da50 47846->47847 47848 40da70 47847->47848 47849 40daa5 47847->47849 47850 40da66 47847->47850 48754 41b5b4 29 API calls 47848->48754 47853 41bfb7 2 API calls 47849->47853 47852 40db99 GetLongPathNameW 47850->47852 47855 40417e 28 API calls 47852->47855 47856 40daaa 47853->47856 47854 40da79 47857 401f13 28 API calls 47854->47857 47858 40dbae 47855->47858 47859 40db00 47856->47859 47860 40daae 47856->47860 47898 40da83 47857->47898 47861 40417e 28 API calls 47858->47861 47862 40417e 28 API calls 47859->47862 47863 40417e 28 API calls 47860->47863 47865 40dbbd 47861->47865 47866 40db0e 47862->47866 47864 40dabc 47863->47864 47872 40417e 28 API calls 47864->47872 48757 40ddd1 28 API calls 47865->48757 47871 40417e 28 API calls 47866->47871 47867 401f09 11 API calls 47867->47850 47869 40dbd0 48758 402fa5 28 API calls 47869->48758 47874 40db24 47871->47874 47875 40dad2 47872->47875 47873 40dbdb 48759 402fa5 28 API calls 47873->48759 48756 402fa5 28 API calls 47874->48756 48755 402fa5 28 API calls 47875->48755 47879 40dbe5 47882 401f09 11 API calls 47879->47882 47880 40db2f 47883 401f13 28 API calls 47880->47883 47881 40dadd 47884 401f13 28 API calls 47881->47884 47885 40dbef 47882->47885 47886 40db3a 47883->47886 47887 40dae8 47884->47887 47888 401f09 11 API calls 47885->47888 47889 401f09 11 API calls 47886->47889 47890 401f09 11 API calls 47887->47890 47891 40dbf8 47888->47891 47892 40db43 47889->47892 47893 40daf1 47890->47893 47894 401f09 11 API calls 47891->47894 47895 401f09 11 API calls 47892->47895 47896 401f09 11 API calls 47893->47896 47897 40dc01 47894->47897 47895->47898 47896->47898 47899 401f09 11 API calls 47897->47899 47898->47867 47900 40dc0a 47899->47900 47901 401f09 11 API calls 47900->47901 47902 40dc13 47901->47902 47902->47348 47903->47359 47904->47382 47906 413742 47905->47906 47907 41371e RegQueryValueExA RegCloseKey 47905->47907 47906->47341 47907->47906 47908->47374 47909->47410 47910->47421 47911->47443 47912->47432 47914->47476 47915->47281 47918 41b4c5 LoadResource LockResource SizeofResource 47917->47918 47919 40f3de 47917->47919 47918->47919 47920 43bd51 47919->47920 47922 446137 ___crtLCMapStringA 47920->47922 47921 446175 47937 4405dd 20 API calls __dosmaperr 47921->47937 47922->47921 47923 446160 RtlAllocateHeap 47922->47923 47936 442f80 7 API calls 2 library calls 47922->47936 47923->47922 47925 446173 47923->47925 47925->47511 47928 4020bf 47927->47928 47938 4023ce 47928->47938 47930 4020ca 47942 40250a 47930->47942 47932 4020d9 47932->47514 47934 4020b7 28 API calls 47933->47934 47935 406dec 47934->47935 47935->47521 47936->47922 47937->47925 47939 402428 47938->47939 47940 4023d8 47938->47940 47939->47930 47940->47939 47949 4027a7 11 API calls std::_Deallocate 47940->47949 47943 40251a 47942->47943 47944 402520 47943->47944 47945 402535 47943->47945 47950 402569 47944->47950 47960 4028e8 28 API calls 47945->47960 47948 402533 47948->47932 47949->47939 47961 402888 47950->47961 47952 40257d 47953 402592 47952->47953 47954 4025a7 47952->47954 47966 402a34 22 API calls 47953->47966 47968 4028e8 28 API calls 47954->47968 47957 40259b 47967 4029da 22 API calls 47957->47967 47959 4025a5 47959->47948 47960->47948 47962 402890 47961->47962 47963 402898 47962->47963 47969 402ca3 22 API calls 47962->47969 47963->47952 47966->47957 47967->47959 47968->47959 47971 4020e7 47970->47971 47972 4023ce 11 API calls 47971->47972 47973 4020f2 47972->47973 47973->47549 47979 40423a 47974->47979 47977->47549 47978->47530 47980 404243 47979->47980 47981 4023ce 11 API calls 47980->47981 47982 40424e 47981->47982 47983 402569 28 API calls 47982->47983 47984 4041b5 47983->47984 47984->47549 47985->47553 47986->47557 47987->47559 47990 4032aa 47989->47990 47992 4032c9 47990->47992 47993 4028e8 28 API calls 47990->47993 47992->47569 47993->47992 47995 4051fb 47994->47995 48004 405274 47995->48004 47997 405208 47997->47572 47999 402061 47998->47999 48000 4023ce 11 API calls 47999->48000 48001 40207b 48000->48001 48028 40267a 48001->48028 48005 405282 48004->48005 48006 405288 48005->48006 48007 40529e 48005->48007 48015 4025f0 48006->48015 48008 4052f5 48007->48008 48009 4052b6 48007->48009 48025 4028a4 22 API calls 48008->48025 48014 40529c 48009->48014 48024 4028e8 28 API calls 48009->48024 48014->47997 48016 402888 22 API calls 48015->48016 48017 402602 48016->48017 48018 402672 48017->48018 48020 402629 48017->48020 48027 4028a4 22 API calls 48018->48027 48023 40263b 48020->48023 48026 4028e8 28 API calls 48020->48026 48023->48014 48024->48014 48026->48023 48029 40268b 48028->48029 48030 4023ce 11 API calls 48029->48030 48031 40208d 48030->48031 48031->47575 48032->47583 48033->47588 48036 41bfc4 GetCurrentProcess IsWow64Process 48035->48036 48037 41b2d1 48035->48037 48036->48037 48038 41bfdb 48036->48038 48039 4135a6 RegOpenKeyExA 48037->48039 48038->48037 48040 4135d4 RegQueryValueExA RegCloseKey 48039->48040 48041 4135fe 48039->48041 48040->48041 48042 402093 28 API calls 48041->48042 48043 413613 48042->48043 48043->47599 48044->47607 48046 40b90c 48045->48046 48051 402252 48046->48051 48048 40b917 48055 40b92c 48048->48055 48050 40b926 48050->47618 48052 4022ac 48051->48052 48053 40225c 48051->48053 48052->48048 48053->48052 48062 402779 11 API calls std::_Deallocate 48053->48062 48056 40b966 48055->48056 48057 40b938 48055->48057 48074 4028a4 22 API calls 48056->48074 48063 4027e6 48057->48063 48061 40b942 48061->48050 48062->48052 48064 4027ef 48063->48064 48065 402851 48064->48065 48066 4027f9 48064->48066 48076 4028a4 22 API calls 48065->48076 48069 402802 48066->48069 48070 402815 48066->48070 48075 402aea 28 API calls __EH_prolog 48069->48075 48072 402813 48070->48072 48073 402252 11 API calls 48070->48073 48072->48061 48073->48072 48075->48072 48077->47627 48079 402347 48078->48079 48080 402252 11 API calls 48079->48080 48081 4023c7 48080->48081 48081->47627 48083 4024f9 48082->48083 48084 40250a 28 API calls 48083->48084 48085 4020b1 48084->48085 48085->47352 48102 43ba0a 48086->48102 48088 43ae50 48108 43a7b7 36 API calls 2 library calls 48088->48108 48090 43ae15 48090->48088 48091 43ae2a 48090->48091 48093 43ae2f __cftoe 48090->48093 48107 4405dd 20 API calls __dosmaperr 48091->48107 48093->47656 48095 43ae5c 48096 43ae8b 48095->48096 48109 43ba4f 40 API calls __Tolower 48095->48109 48097 43aef7 48096->48097 48110 43b9b6 20 API calls 2 library calls 48096->48110 48111 43b9b6 20 API calls 2 library calls 48097->48111 48100 43afbe _strftime 48100->48093 48112 4405dd 20 API calls __dosmaperr 48100->48112 48103 43ba22 48102->48103 48104 43ba0f 48102->48104 48103->48090 48113 4405dd 20 API calls __dosmaperr 48104->48113 48106 43ba14 __cftoe 48106->48090 48107->48093 48108->48095 48109->48095 48110->48097 48111->48100 48112->48093 48113->48106 48120 401fb0 48114->48120 48116 402f1e 48117 402055 11 API calls 48116->48117 48118 402f2d 48117->48118 48118->47670 48119->47673 48121 4025f0 28 API calls 48120->48121 48122 401fbd 48121->48122 48122->48116 48124 40a127 48123->48124 48125 413549 3 API calls 48124->48125 48126 40a12e 48125->48126 48127 40a142 48126->48127 48128 40a15c 48126->48128 48129 409e9b 48127->48129 48130 40a147 48127->48130 48144 40905c 48128->48144 48129->47405 48132 40905c 28 API calls 48130->48132 48134 40a155 48132->48134 48172 40a22d 29 API calls 48134->48172 48137 40a15a 48137->48129 48138->47698 48319 403222 48139->48319 48141 403022 48323 403262 48141->48323 48145 409072 48144->48145 48146 402252 11 API calls 48145->48146 48147 40908c 48146->48147 48173 404267 48147->48173 48149 40909a 48150 40a179 48149->48150 48185 40b8ec 48150->48185 48153 40a1a2 48155 402093 28 API calls 48153->48155 48154 40a1ca 48156 402093 28 API calls 48154->48156 48157 40a1ac 48155->48157 48158 40a1d5 48156->48158 48159 41bc5e 28 API calls 48157->48159 48160 402093 28 API calls 48158->48160 48161 40a1ba 48159->48161 48162 40a1e4 48160->48162 48189 40b164 31 API calls new 48161->48189 48164 41b4ef 80 API calls 48162->48164 48166 40a1e9 CreateThread 48164->48166 48165 40a1c1 48167 401fd8 11 API calls 48165->48167 48168 40a210 CreateThread 48166->48168 48169 40a204 CreateThread 48166->48169 48197 40a27d 48166->48197 48167->48154 48170 401f09 11 API calls 48168->48170 48194 40a289 48168->48194 48169->48168 48191 40a267 48169->48191 48171 40a224 48170->48171 48171->48129 48172->48137 48318 40a273 164 API calls 48172->48318 48174 402888 22 API calls 48173->48174 48175 40427b 48174->48175 48176 404290 48175->48176 48177 4042a5 48175->48177 48183 4042df 22 API calls 48176->48183 48179 4027e6 28 API calls 48177->48179 48182 4042a3 48179->48182 48180 404299 48184 402c48 22 API calls 48180->48184 48182->48149 48183->48180 48184->48182 48186 40b8f5 48185->48186 48187 40a197 48185->48187 48190 40b96c 28 API calls 48186->48190 48187->48153 48187->48154 48189->48165 48190->48187 48200 40a2b8 48191->48200 48230 40acd6 48194->48230 48272 40a726 48197->48272 48201 40a2d1 GetModuleHandleA SetWindowsHookExA 48200->48201 48202 40a333 GetMessageA 48200->48202 48201->48202 48204 40a2ed GetLastError 48201->48204 48203 40a345 TranslateMessage DispatchMessageA 48202->48203 48214 40a270 48202->48214 48203->48202 48203->48214 48215 41bb8e 48204->48215 48221 441e81 48215->48221 48218 402093 28 API calls 48219 40a2fe 48218->48219 48220 4052fd 28 API calls 48219->48220 48222 441e8d 48221->48222 48225 441c7d 48222->48225 48224 41bbb2 48224->48218 48226 441c94 48225->48226 48227 441ccb __cftoe 48226->48227 48229 4405dd 20 API calls __dosmaperr 48226->48229 48227->48224 48229->48227 48237 40ace4 48230->48237 48231 40a292 48232 40ad3e Sleep GetForegroundWindow GetWindowTextLengthW 48233 40b904 28 API calls 48232->48233 48233->48237 48237->48231 48237->48232 48239 41bae6 GetLastInputInfo GetTickCount 48237->48239 48240 40ad84 GetWindowTextW 48237->48240 48242 401f09 11 API calls 48237->48242 48243 40b8ec 28 API calls 48237->48243 48244 40aedc 48237->48244 48246 40ae49 Sleep 48237->48246 48247 441e81 20 API calls 48237->48247 48249 402093 28 API calls 48237->48249 48250 40add1 48237->48250 48254 406383 28 API calls 48237->48254 48256 403014 28 API calls 48237->48256 48257 40a636 12 API calls 48237->48257 48258 41bc5e 28 API calls 48237->48258 48259 401fd8 11 API calls 48237->48259 48260 4343e6 EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait 48237->48260 48261 401f86 48237->48261 48265 434770 23 API calls __onexit 48237->48265 48266 4343a7 SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_wait 48237->48266 48267 409044 28 API calls 48237->48267 48269 40b97c 28 API calls 48237->48269 48270 40b748 40 API calls 2 library calls 48237->48270 48271 4052fd 28 API calls 48237->48271 48239->48237 48240->48237 48242->48237 48243->48237 48245 401f09 11 API calls 48244->48245 48245->48231 48246->48237 48247->48237 48249->48237 48250->48237 48252 40905c 28 API calls 48250->48252 48268 40b164 31 API calls new 48250->48268 48252->48250 48254->48237 48256->48237 48257->48237 48258->48237 48259->48237 48262 401f8e 48261->48262 48263 402252 11 API calls 48262->48263 48264 401f99 48263->48264 48264->48237 48265->48237 48266->48237 48267->48237 48268->48250 48269->48237 48270->48237 48273 40a73b Sleep 48272->48273 48293 40a675 48273->48293 48275 40a286 48276 40a77b CreateDirectoryW 48281 40a74d 48276->48281 48277 40a78c GetFileAttributesW 48277->48281 48278 40a7a3 SetFileAttributesW 48278->48281 48279 4020df 11 API calls 48291 40a7ee 48279->48291 48281->48273 48281->48275 48281->48276 48281->48277 48281->48278 48283 401e65 22 API calls 48281->48283 48281->48291 48305 41c3f1 48281->48305 48282 40a81d PathFileExistsW 48282->48291 48283->48281 48284 4020b7 28 API calls 48284->48291 48286 40a926 SetFileAttributesW 48286->48281 48287 401fe2 28 API calls 48287->48291 48288 406dd8 28 API calls 48288->48291 48289 401fd8 11 API calls 48289->48291 48291->48279 48291->48282 48291->48284 48291->48286 48291->48287 48291->48288 48291->48289 48292 401fd8 11 API calls 48291->48292 48315 41c485 32 API calls 48291->48315 48316 41c4f2 CreateFileW SetFilePointer CloseHandle WriteFile FindCloseChangeNotification 48291->48316 48292->48281 48294 40a722 48293->48294 48297 40a68b 48293->48297 48294->48281 48295 40a6aa CreateFileW 48296 40a6b8 GetFileSize 48295->48296 48295->48297 48296->48297 48298 40a6ed CloseHandle 48296->48298 48297->48295 48297->48298 48299 40a6ff 48297->48299 48300 40a6e2 Sleep 48297->48300 48317 40b0dc 84 API calls 48297->48317 48298->48297 48299->48294 48302 40905c 28 API calls 48299->48302 48300->48298 48303 40a71b 48302->48303 48304 40a179 125 API calls 48303->48304 48304->48294 48306 41c404 CreateFileW 48305->48306 48308 41c441 48306->48308 48309 41c43d 48306->48309 48310 41c461 WriteFile 48308->48310 48311 41c448 SetFilePointer 48308->48311 48309->48281 48313 41c474 48310->48313 48314 41c476 FindCloseChangeNotification 48310->48314 48311->48310 48312 41c458 CloseHandle 48311->48312 48312->48309 48313->48314 48314->48309 48315->48291 48316->48291 48317->48300 48320 40322e 48319->48320 48329 403618 48320->48329 48322 40323b 48322->48141 48324 40326e 48323->48324 48325 402252 11 API calls 48324->48325 48326 403288 48325->48326 48327 402336 11 API calls 48326->48327 48328 403031 48327->48328 48328->47702 48330 403626 48329->48330 48331 403644 48330->48331 48332 40362c 48330->48332 48334 40365c 48331->48334 48335 40369e 48331->48335 48340 4036a6 28 API calls 48332->48340 48338 4027e6 28 API calls 48334->48338 48339 403642 48334->48339 48341 4028a4 22 API calls 48335->48341 48338->48339 48339->48322 48340->48339 48343 404186 48342->48343 48344 402252 11 API calls 48343->48344 48345 404191 48344->48345 48353 4041bc 48345->48353 48348 4042fc 48364 404353 48348->48364 48350 40430a 48351 403262 11 API calls 48350->48351 48352 404319 48351->48352 48352->47711 48354 4041c8 48353->48354 48357 4041d9 48354->48357 48356 40419c 48356->48348 48358 4041e9 48357->48358 48359 404206 48358->48359 48360 4041ef 48358->48360 48361 4027e6 28 API calls 48359->48361 48362 404267 28 API calls 48360->48362 48363 404204 48361->48363 48362->48363 48363->48356 48365 40435f 48364->48365 48368 404371 48365->48368 48367 40436d 48367->48350 48369 40437f 48368->48369 48370 404385 48369->48370 48371 40439e 48369->48371 48434 4034e6 28 API calls 48370->48434 48372 402888 22 API calls 48371->48372 48373 4043a6 48372->48373 48375 404419 48373->48375 48376 4043bf 48373->48376 48435 4028a4 22 API calls 48375->48435 48378 4027e6 28 API calls 48376->48378 48387 40439c 48376->48387 48378->48387 48387->48367 48434->48387 48442 43aa9a 48436->48442 48440 4138b9 48439->48440 48441 41388f RegSetValueExA RegCloseKey 48439->48441 48440->47727 48441->48440 48445 43aa1b 48442->48445 48444 40170d 48444->47729 48446 43aa2a 48445->48446 48447 43aa3e 48445->48447 48451 4405dd 20 API calls __dosmaperr 48446->48451 48450 43aa2f __alldvrm __cftoe 48447->48450 48452 448957 11 API calls 2 library calls 48447->48452 48450->48444 48451->48450 48452->48450 48454 41b8f9 ctype ___scrt_get_show_window_mode 48453->48454 48455 402093 28 API calls 48454->48455 48456 414f49 48455->48456 48456->47736 48457->47753 48459 414f02 getaddrinfo WSASetLastError 48458->48459 48460 414ef8 48458->48460 48459->47804 48599 414d86 29 API calls ___std_exception_copy 48460->48599 48462 414efd 48462->48459 48464 404846 socket 48463->48464 48465 404839 48463->48465 48467 404860 CreateEventW 48464->48467 48468 404842 48464->48468 48600 40489e WSAStartup 48465->48600 48467->47804 48468->47804 48469 40483e 48469->48464 48469->48468 48471 404f65 48470->48471 48472 404fea 48470->48472 48473 404f6e 48471->48473 48474 404fc0 CreateEventA CreateThread 48471->48474 48475 404f7d GetLocalTime 48471->48475 48472->47804 48473->48474 48474->48472 48602 405150 48474->48602 48476 41bb8e 28 API calls 48475->48476 48477 404f91 48476->48477 48601 4052fd 28 API calls 48477->48601 48486 404a1b 48485->48486 48487 4048ee 48485->48487 48488 40497e 48486->48488 48489 404a21 WSAGetLastError 48486->48489 48487->48488 48491 40531e 28 API calls 48487->48491 48511 404923 48487->48511 48488->47804 48489->48488 48490 404a31 48489->48490 48492 404a36 48490->48492 48501 404932 48490->48501 48494 40490f 48491->48494 48611 41cae1 30 API calls 48492->48611 48498 402093 28 API calls 48494->48498 48496 40492b 48500 404941 48496->48500 48496->48501 48497 402093 28 API calls 48502 404a80 48497->48502 48503 40491e 48498->48503 48499 404a40 48612 4052fd 28 API calls 48499->48612 48508 404950 48500->48508 48509 404987 48500->48509 48501->48497 48505 402093 28 API calls 48502->48505 48506 41b4ef 80 API calls 48503->48506 48510 404a8f 48505->48510 48506->48511 48513 402093 28 API calls 48508->48513 48608 421a40 54 API calls 48509->48608 48514 41b4ef 80 API calls 48510->48514 48606 420c60 27 API calls 48511->48606 48517 40495f 48513->48517 48514->48488 48520 402093 28 API calls 48517->48520 48518 40498f 48521 4049c4 48518->48521 48522 404994 48518->48522 48524 40496e 48520->48524 48610 420e06 28 API calls 48521->48610 48526 402093 28 API calls 48522->48526 48529 41b4ef 80 API calls 48524->48529 48528 4049a3 48526->48528 48531 402093 28 API calls 48528->48531 48532 404973 48529->48532 48530 4049cc 48533 4049f9 CreateEventW CreateEventW 48530->48533 48535 402093 28 API calls 48530->48535 48534 4049b2 48531->48534 48607 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48532->48607 48533->48488 48536 41b4ef 80 API calls 48534->48536 48538 4049e2 48535->48538 48539 4049b7 48536->48539 48540 402093 28 API calls 48538->48540 48609 4210b2 52 API calls 48539->48609 48542 4049f1 48540->48542 48543 41b4ef 80 API calls 48542->48543 48544 4049f6 48543->48544 48544->48533 48613 41b7b6 GlobalMemoryStatusEx 48545->48613 48547 41b7f5 48547->47804 48614 414580 48548->48614 48552 40dda5 48551->48552 48553 4134ff 3 API calls 48552->48553 48555 40ddac 48553->48555 48554 40ddc4 48554->47804 48555->48554 48556 413549 3 API calls 48555->48556 48556->48554 48558 4020b7 28 API calls 48557->48558 48559 41bc57 48558->48559 48559->47804 48561 41bd2b 48560->48561 48562 4020b7 28 API calls 48561->48562 48563 41bd3d 48562->48563 48563->47804 48564->47819 48566 436e90 ___scrt_get_show_window_mode 48565->48566 48567 41bab5 GetForegroundWindow GetWindowTextW 48566->48567 48568 40417e 28 API calls 48567->48568 48569 41badf 48568->48569 48569->47819 48571 402093 28 API calls 48570->48571 48572 40f8f6 48571->48572 48572->47819 48573->47819 48575 4020df 11 API calls 48574->48575 48576 404c27 48575->48576 48577 4020df 11 API calls 48576->48577 48589 404c30 48577->48589 48578 43bd51 new 21 API calls 48578->48589 48580 404c96 48583 404ca1 48580->48583 48580->48589 48581 4020b7 28 API calls 48581->48589 48582 401fe2 28 API calls 48582->48589 48665 404e26 99 API calls 48583->48665 48585 404ca8 48587 401fd8 11 API calls 48585->48587 48586 401fd8 11 API calls 48586->48589 48588 404cb1 48587->48588 48590 401fd8 11 API calls 48588->48590 48589->48578 48589->48580 48589->48581 48589->48582 48589->48586 48652 404cc3 48589->48652 48664 404b96 57 API calls 48589->48664 48591 404cba 48590->48591 48591->47784 48593->47804 48594->47784 48596->47819 48597->47784 48598->47784 48599->48462 48600->48469 48605 40515c 102 API calls 48602->48605 48604 405159 48605->48604 48606->48496 48607->48488 48608->48518 48609->48532 48610->48530 48611->48499 48613->48547 48617 414553 48614->48617 48618 414568 ___scrt_initialize_default_local_stdio_options 48617->48618 48621 43f79d 48618->48621 48624 43c4f0 48621->48624 48625 43c530 48624->48625 48626 43c518 48624->48626 48625->48626 48628 43c538 48625->48628 48646 4405dd 20 API calls __dosmaperr 48626->48646 48647 43a7b7 36 API calls 2 library calls 48628->48647 48629 43c51d __cftoe 48639 434fcb 48629->48639 48631 43c548 48648 43cc76 20 API calls 2 library calls 48631->48648 48634 414576 48634->47804 48635 43c5c0 48649 43d2e4 51 API calls 3 library calls 48635->48649 48638 43c5cb 48650 43cce0 20 API calls _free 48638->48650 48640 434fd6 IsProcessorFeaturePresent 48639->48640 48641 434fd4 48639->48641 48643 435018 48640->48643 48641->48634 48651 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 48643->48651 48645 4350fb 48645->48634 48646->48629 48647->48631 48648->48635 48649->48638 48650->48629 48651->48645 48653 4020df 11 API calls 48652->48653 48663 404cde 48653->48663 48654 404e13 48655 401fd8 11 API calls 48654->48655 48656 404e1c 48655->48656 48656->48580 48657 4041a2 28 API calls 48657->48663 48658 401fe2 28 API calls 48658->48663 48659 401fd8 11 API calls 48659->48663 48660 4020f6 28 API calls 48660->48663 48661 401fc0 28 API calls 48662 404dad CreateEventA CreateThread WaitForSingleObject FindCloseChangeNotification 48661->48662 48662->48663 48666 415aea 48662->48666 48663->48654 48663->48657 48663->48658 48663->48659 48663->48660 48663->48661 48664->48589 48665->48585 48667 4020f6 28 API calls 48666->48667 48668 415b0c SetEvent 48667->48668 48669 415b21 48668->48669 48670 4041a2 28 API calls 48669->48670 48671 415b3b 48670->48671 48672 4020f6 28 API calls 48671->48672 48673 415b4b 48672->48673 48674 4020f6 28 API calls 48673->48674 48675 415b5d 48674->48675 48676 41be1b 28 API calls 48675->48676 48677 415b66 48676->48677 48678 417089 48677->48678 48679 415b86 GetTickCount 48677->48679 48680 415d2f 48677->48680 48681 401e8d 11 API calls 48678->48681 48682 41bb8e 28 API calls 48679->48682 48680->48678 48740 415ce5 48680->48740 48683 417092 48681->48683 48684 415b97 48682->48684 48685 401fd8 11 API calls 48683->48685 48745 41bae6 GetLastInputInfo GetTickCount 48684->48745 48688 41709e 48685->48688 48691 401fd8 11 API calls 48688->48691 48689 415cc9 48689->48678 48690 415ba3 48692 41bb8e 28 API calls 48690->48692 48693 4170aa 48691->48693 48694 415bae 48692->48694 48695 41ba96 30 API calls 48694->48695 48696 415bbc 48695->48696 48697 41bd1e 28 API calls 48696->48697 48698 415bca 48697->48698 48699 401e65 22 API calls 48698->48699 48700 415bd8 48699->48700 48746 402f31 28 API calls 48700->48746 48702 415be6 48747 402ea1 28 API calls 48702->48747 48704 415bf5 48705 402f10 28 API calls 48704->48705 48706 415c04 48705->48706 48748 402ea1 28 API calls 48706->48748 48708 415c13 48709 402f10 28 API calls 48708->48709 48710 415c1f 48709->48710 48749 402ea1 28 API calls 48710->48749 48712 415c29 48750 404aa1 61 API calls ctype 48712->48750 48714 415c38 48715 401fd8 11 API calls 48714->48715 48716 415c41 48715->48716 48717 401fd8 11 API calls 48716->48717 48718 415c4d 48717->48718 48719 401fd8 11 API calls 48718->48719 48720 415c59 48719->48720 48721 401fd8 11 API calls 48720->48721 48722 415c65 48721->48722 48723 401fd8 11 API calls 48722->48723 48724 415c71 48723->48724 48725 401fd8 11 API calls 48724->48725 48726 415c7d 48725->48726 48727 401f09 11 API calls 48726->48727 48728 415c86 48727->48728 48729 401fd8 11 API calls 48728->48729 48730 415c8f 48729->48730 48731 401fd8 11 API calls 48730->48731 48732 415c98 48731->48732 48733 401e65 22 API calls 48732->48733 48734 415ca3 48733->48734 48735 43baac _strftime 40 API calls 48734->48735 48736 415cb0 48735->48736 48737 415cb5 48736->48737 48738 415cdb 48736->48738 48741 415cc3 48737->48741 48742 415cce 48737->48742 48739 401e65 22 API calls 48738->48739 48739->48740 48740->48678 48752 4050e4 84 API calls 48740->48752 48751 404ff4 82 API calls 48741->48751 48743 404f51 105 API calls 48742->48743 48743->48689 48745->48690 48746->48702 48747->48704 48748->48708 48749->48712 48750->48714 48751->48689 48752->48689 48754->47854 48755->47881 48756->47880 48757->47869 48758->47873 48759->47879 48762 40f7c2 48760->48762 48761 413549 3 API calls 48761->48762 48762->48761 48763 40f866 48762->48763 48765 40f856 Sleep 48762->48765 48782 40f7f4 48762->48782 48766 40905c 28 API calls 48763->48766 48764 40905c 28 API calls 48764->48782 48765->48762 48769 40f871 48766->48769 48768 41bc5e 28 API calls 48768->48782 48770 41bc5e 28 API calls 48769->48770 48771 40f87d 48770->48771 48795 413814 14 API calls 48771->48795 48774 401f09 11 API calls 48774->48782 48775 40f890 48776 401f09 11 API calls 48775->48776 48778 40f89c 48776->48778 48777 402093 28 API calls 48777->48782 48779 402093 28 API calls 48778->48779 48780 40f8ad 48779->48780 48783 41376f 14 API calls 48780->48783 48781 41376f 14 API calls 48781->48782 48782->48764 48782->48765 48782->48768 48782->48774 48782->48777 48782->48781 48793 40d096 112 API calls ___scrt_get_show_window_mode 48782->48793 48794 413814 14 API calls 48782->48794 48784 40f8c0 48783->48784 48796 412850 TerminateProcess WaitForSingleObject 48784->48796 48786 40f8c8 ExitProcess 48797 4127ee 62 API calls 48790->48797 48794->48782 48795->48775 48796->48786 48798 4269e6 48799 4269fb 48798->48799 48809 426a8d 48798->48809 48800 426a7d 48799->48800 48801 426b1d 48799->48801 48805 426af2 48799->48805 48808 426abd 48799->48808 48799->48809 48811 426a48 48799->48811 48813 426b44 48799->48813 48826 424edd 49 API calls ctype 48799->48826 48800->48808 48800->48809 48828 424edd 49 API calls ctype 48800->48828 48801->48809 48801->48813 48814 425ae1 48801->48814 48805->48801 48830 4256f0 21 API calls 48805->48830 48808->48805 48808->48809 48829 41fb6c 52 API calls 48808->48829 48811->48800 48811->48809 48827 41fb6c 52 API calls 48811->48827 48813->48809 48831 426155 28 API calls 48813->48831 48816 425b00 ___scrt_get_show_window_mode 48814->48816 48815 425b0f 48821 425b34 48815->48821 48825 425b14 48815->48825 48833 4205d8 46 API calls 48815->48833 48816->48815 48816->48821 48832 41ebbb 21 API calls 48816->48832 48820 425b1d 48820->48821 48840 424d05 21 API calls 2 library calls 48820->48840 48821->48813 48823 425bb7 48823->48821 48834 432ec4 48823->48834 48825->48820 48825->48821 48839 41da5f 49 API calls 48825->48839 48826->48811 48827->48811 48828->48808 48829->48808 48830->48801 48831->48809 48832->48815 48833->48823 48835 432ed2 48834->48835 48836 432ece 48834->48836 48837 43bd51 new 21 API calls 48835->48837 48836->48825 48838 432ed7 48837->48838 48838->48825 48839->48820 48840->48821 48841 446782 48842 44678d RtlFreeHeap 48841->48842 48846 4467b6 __dosmaperr 48841->48846 48843 4467a2 48842->48843 48842->48846 48847 4405dd 20 API calls __dosmaperr 48843->48847 48845 4467a8 GetLastError 48845->48846 48847->48845 48848 415d06 48863 41b380 48848->48863 48850 415d0f 48851 4020f6 28 API calls 48850->48851 48852 415d1e 48851->48852 48874 404aa1 61 API calls ctype 48852->48874 48854 415d2a 48855 417089 48854->48855 48856 401fd8 11 API calls 48854->48856 48857 401e8d 11 API calls 48855->48857 48856->48855 48858 417092 48857->48858 48859 401fd8 11 API calls 48858->48859 48860 41709e 48859->48860 48861 401fd8 11 API calls 48860->48861 48862 4170aa 48861->48862 48864 4020df 11 API calls 48863->48864 48865 41b38e 48864->48865 48866 43bd51 new 21 API calls 48865->48866 48867 41b39e InternetOpenW InternetOpenUrlW 48866->48867 48868 41b3c5 InternetReadFile 48867->48868 48872 41b3e8 48868->48872 48869 4020b7 28 API calls 48869->48872 48870 41b415 InternetCloseHandle InternetCloseHandle 48871 41b427 48870->48871 48871->48850 48872->48868 48872->48869 48872->48870 48873 401fd8 11 API calls 48872->48873 48873->48872 48874->48854 48875 426c4b 48880 426cc8 send 48875->48880 48881 43be58 48884 43be64 _swprintf CallCatchBlock 48881->48884 48882 43be72 48897 4405dd 20 API calls __dosmaperr 48882->48897 48884->48882 48886 43be9c 48884->48886 48885 43be77 __cftoe CallCatchBlock 48892 445888 EnterCriticalSection 48886->48892 48888 43bea7 48893 43bf48 48888->48893 48892->48888 48895 43bf56 48893->48895 48894 43beb2 48898 43becf LeaveCriticalSection std::_Lockit::~_Lockit 48894->48898 48895->48894 48899 44976c 37 API calls 2 library calls 48895->48899 48897->48885 48898->48885 48899->48895 48900 41dfbd 48901 41dfd2 ctype ___scrt_get_show_window_mode 48900->48901 48903 432ec4 21 API calls 48901->48903 48913 41e1d5 48901->48913 48906 41e182 ___scrt_get_show_window_mode 48903->48906 48904 41e1e6 48905 432ec4 21 API calls 48904->48905 48912 41e189 48904->48912 48907 41e21f ___scrt_get_show_window_mode 48905->48907 48908 432ec4 21 API calls 48906->48908 48906->48912 48907->48912 48915 43354a 48907->48915 48909 41e1af ___scrt_get_show_window_mode 48908->48909 48911 432ec4 21 API calls 48909->48911 48909->48912 48911->48913 48913->48912 48914 41db62 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 48913->48914 48914->48904 48918 433469 48915->48918 48917 433552 48917->48912 48919 433482 48918->48919 48922 433478 48918->48922 48920 432ec4 21 API calls 48919->48920 48919->48922 48921 4334a3 48920->48921 48921->48922 48924 433837 CryptAcquireContextA 48921->48924 48922->48917 48925 433853 48924->48925 48926 433858 CryptGenRandom 48924->48926 48925->48922 48926->48925 48927 43386d CryptReleaseContext 48926->48927 48927->48925 48928 426bdc 48934 426cb1 recv 48928->48934

                      Executed Functions

                      Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                      • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                      • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                      • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                      • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                      • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                      • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                      • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                      • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                      • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                      • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                      • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                      • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                      • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                      • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                      • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                      • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                      • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                      • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                      • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$LibraryLoad$HandleModule
                      • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                      • API String ID: 4236061018-3687161714
                      • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                      • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                      • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                      • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040E9C5 Relevance: 88.3, APIs: 15, Strings: 35, Instructions: 795COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 102 40f34f-40f36a call 401fab call 4139a9 call 412475 69->102 80 40ec03-40ec0a call 40d069 70->80 81 40ebcb-40ebea call 401fab call 413549 70->81 90 40ec13-40ec1a 80->90 91 40ec0c-40ec0e 80->91 81->80 97 40ebec-40ec02 call 401fab call 4139a9 81->97 95 40ec1c 90->95 96 40ec1e-40ec2a call 41b2c3 90->96 94 40eef1 91->94 94->49 95->96 103 40ec33-40ec37 96->103 104 40ec2c-40ec2e 96->104 97->80 126 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 102->126 107 40ec76-40ec89 call 401e65 call 401fab 103->107 108 40ec39 call 407716 103->108 104->103 127 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->127 128 40ec8b call 407755 107->128 117 40ec3e-40ec40 108->117 120 40ec42-40ec47 call 407738 call 407260 117->120 121 40ec4c-40ec5f call 401e65 call 401fab 117->121 120->121 121->107 140 40ec61-40ec67 121->140 157 40f3a5-40f3af call 40dd42 call 414f2a 126->157 177 40ed80-40ed84 127->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 127->178 128->127 140->107 144 40ec69-40ec6f 140->144 144->107 147 40ec71 call 407260 144->147 147->107 180 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->180 181 40ed8a-40ed91 177->181 178->177 205 40ed35-40ed7b call 401e65 call 401fab call 401e65 call 401fab call 40da34 call 401f13 call 401f09 178->205 236 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 180->236 184 40ed93-40ee0d call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 181->184 185 40ee0f-40ee19 call 409057 181->185 191 40ee1e-40ee42 call 40247c call 434798 184->191 185->191 212 40ee51 191->212 213 40ee44-40ee4f call 436e90 191->213 205->177 218 40ee53-40ee9e call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 212->218 213->218 273 40eea3-40eec8 call 4347a1 call 401e65 call 40b9bd 218->273 287 40efc1 236->287 288 40efdc-40efde 236->288 273->236 286 40eece-40eeed call 401e65 call 41bc5e call 40f474 273->286 286->236 306 40eeef 286->306 292 40efc3-40efda call 41cd9b CreateThread 287->292 289 40efe0-40efe2 288->289 290 40efe4 288->290 289->292 294 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 290->294 292->294 344 40f101 294->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 294->345 306->94 347 40f103-40f11b call 401e65 call 401fab 344->347 345->347 357 40f159-40f16c call 401e65 call 401fab 347->357 358 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 347->358 368 40f1cc-40f1df call 401e65 call 401fab 357->368 369 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 357->369 358->357 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 368->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 368->380 369->368 379->380 400 40f240-40f241 SetProcessDEPPolicy 380->400 401 40f243-40f256 CreateThread 380->401 400->401 404 40f264-40f26b 401->404 405 40f258-40f262 CreateThread 401->405 408 40f279-40f280 404->408 409 40f26d-40f277 CreateThread 404->409 405->404 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 415 40f287-40f28c 412->415 416 40f2cc-40f2df call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 425 40f2e4-40f2e7 416->425 418->416 425->157 427 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 425->427 443 40f346-40f34b DeleteFileW 427->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->126 445->126 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                      APIs
                        • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                        • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                        • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                        • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                        • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                        • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                        • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                        • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                        • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe,00000104), ref: 0040E9EE
                        • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                      • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                      • API String ID: 2830904901-198684778
                      • Opcode ID: cc67e54aedd94bd188949fffc6f37dabdb480af775679b2e47580a4ac9d4071a
                      • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                      • Opcode Fuzzy Hash: cc67e54aedd94bd188949fffc6f37dabdb480af775679b2e47580a4ac9d4071a
                      • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1260 40a2b8-40a2cf 1261 40a2d1-40a2eb GetModuleHandleA SetWindowsHookExA 1260->1261 1262 40a333-40a343 GetMessageA 1260->1262 1261->1262 1265 40a2ed-40a331 GetLastError call 41bb8e call 4052fd call 402093 call 41b4ef call 401fd8 1261->1265 1263 40a345-40a35d TranslateMessage DispatchMessageA 1262->1263 1264 40a35f 1262->1264 1263->1262 1263->1264 1266 40a361-40a366 1264->1266 1265->1266
                      APIs
                      • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                      • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                      • GetLastError.KERNEL32 ref: 0040A2ED
                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                      • TranslateMessage.USER32(?), ref: 0040A34A
                      • DispatchMessageA.USER32(?), ref: 0040A355
                      Strings
                      • Keylogger initialization failure: error , xrefs: 0040A301
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                      • String ID: Keylogger initialization failure: error
                      • API String ID: 3219506041-952744263
                      • Opcode ID: 351146aa31e7d8f010798953617ef069e45ce016b2dcdd27b6cd7b94982b1026
                      • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                      • Opcode Fuzzy Hash: 351146aa31e7d8f010798953617ef069e45ce016b2dcdd27b6cd7b94982b1026
                      • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1277 41b380-41b3c3 call 4020df call 43bd51 InternetOpenW InternetOpenUrlW 1282 41b3c5-41b3e6 InternetReadFile 1277->1282 1283 41b3e8-41b408 call 4020b7 call 403376 call 401fd8 1282->1283 1284 41b40c-41b40f 1282->1284 1283->1284 1286 41b411-41b413 1284->1286 1287 41b415-41b422 InternetCloseHandle * 2 call 43bd4c 1284->1287 1286->1282 1286->1287 1291 41b427-41b431 1287->1291
                      APIs
                      • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
                      • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
                      • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
                      • InternetCloseHandle.WININET(00000000), ref: 0041B41C
                      • InternetCloseHandle.WININET(00000000), ref: 0041B41F
                      Strings
                      • http://geoplugin.net/json.gp, xrefs: 0041B3B7
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseHandleOpen$FileRead
                      • String ID: http://geoplugin.net/json.gp
                      • API String ID: 3121278467-91888290
                      • Opcode ID: 6a5bb3929385511d6a84e9203cd89213703bcb065304e2e950e05ba1f56befd0
                      • Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
                      • Opcode Fuzzy Hash: 6a5bb3929385511d6a84e9203cd89213703bcb065304e2e950e05ba1f56befd0
                      • Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00413549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
                        • Part of subcall function 00413549: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                        • Part of subcall function 00413549: RegCloseKey.KERNEL32(?), ref: 00413592
                      • Sleep.KERNEL32(00000BB8), ref: 0040F85B
                      • ExitProcess.KERNEL32 ref: 0040F8CA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseExitOpenProcessQuerySleepValue
                      • String ID: 4.9.4 Pro$override$pth_unenc
                      • API String ID: 2281282204-930821335
                      • Opcode ID: e8f8a8c6e09656479cbd18f8005b06e309874533347df5ec8e0d67fb659a5248
                      • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                      • Opcode Fuzzy Hash: e8f8a8c6e09656479cbd18f8005b06e309874533347df5ec8e0d67fb659a5248
                      • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1496 404f51-404f5f 1497 404f65-404f6c 1496->1497 1498 404fea 1496->1498 1500 404f74-404f7b 1497->1500 1501 404f6e-404f72 1497->1501 1499 404fec-404ff1 1498->1499 1502 404fc0-404fe8 CreateEventA CreateThread 1500->1502 1503 404f7d-404fbb GetLocalTime call 41bb8e call 4052fd call 402093 call 41b4ef call 401fd8 1500->1503 1501->1502 1502->1499 1503->1502
                      APIs
                      • GetLocalTime.KERNEL32(00000001,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404F81
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00474EE0,00475598,?,?,?,?,00415CD6,?,00000001), ref: 00404FCD
                      • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                      Strings
                      • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Create$EventLocalThreadTime
                      • String ID: KeepAlive | Enabled | Timeout:
                      • API String ID: 2532271599-1507639952
                      • Opcode ID: 83e50ac4dae1b8c5f58466140d22aecb7b5797b4a98a9f2a00060ccb3113e507
                      • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                      • Opcode Fuzzy Hash: 83e50ac4dae1b8c5f58466140d22aecb7b5797b4a98a9f2a00060ccb3113e507
                      • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                      Download Yara Rule
                      APIs
                      • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,004334BF,00000034,?,?,004DD1A8), ref: 00433849
                      • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000), ref: 0043385F
                      • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000,0041E251), ref: 00433871
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Crypt$Context$AcquireRandomRelease
                      • String ID:
                      • API String ID: 1815803762-0
                      • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                      • Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
                      • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                      • Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041B60D Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                      Download Yara Rule
                      APIs
                      • GetComputerNameExW.KERNEL32(00000001,?,0000002B,004750E4), ref: 0041B62A
                      • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Name$ComputerUser
                      • String ID:
                      • API String ID: 4229901323-0
                      • Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                      • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                      • Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                      • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                      Download Yara Rule
                      APIs
                      • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,4.9.4 Pro), ref: 0040F8E5
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: InfoLocale
                      • String ID:
                      • API String ID: 2299586839-0
                      • Opcode ID: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                      • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                      • Opcode Fuzzy Hash: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                      • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00414F2A Relevance: 48.1, APIs: 5, Strings: 22, Instructions: 809sleepnetworkCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 448 414f2a-414f72 call 4020df call 41b8b3 call 4020df call 401e65 call 401fab call 43baac 461 414f81-414fcd call 402093 call 401e65 call 4020f6 call 41be1b call 40489e call 401e65 call 40b9bd 448->461 462 414f74-414f7b Sleep 448->462 477 415041-4150dc call 402093 call 401e65 call 4020f6 call 41be1b call 401e65 * 2 call 406c1e call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->477 478 414fcf-41503e call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->478 462->461 531 4150ec-4150f3 477->531 532 4150de-4150ea 477->532 478->477 533 4150f8-41518a call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414ee9 531->533 532->533 560 4151d5-4151e3 call 40482d 533->560 561 41518c-4151d0 WSAGetLastError call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 533->561 566 415210-415225 call 404f51 call 4048c8 560->566 567 4151e5-41520b call 402093 * 2 call 41b4ef 560->567 583 415aa3-415ab5 call 404e26 call 4021fa 561->583 566->583 584 41522b-41537e call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 4 call 41b7e0 call 4145bd call 40905c call 441e81 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 4136f8 566->584 567->583 597 415ab7-415ad7 call 401e65 call 401fab call 43baac Sleep 583->597 598 415add-415ae5 call 401e8d 583->598 648 415380-41538d call 405aa6 584->648 649 415392-4153b9 call 401fab call 4135a6 584->649 597->598 598->477 648->649 655 4153c0-41577f call 40417e call 40dd89 call 41bc42 call 41bd1e call 41bb8e call 401e65 GetTickCount call 41bb8e call 41bae6 call 41bb8e * 2 call 41ba96 call 41bd1e * 5 call 40f8d1 call 41bd1e call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 649->655 656 4153bb-4153bd 649->656 782 415781 call 404aa1 655->782 656->655 783 415786-415a0a call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 782->783 901 415a0f-415a16 783->901 902 415a18-415a1f 901->902 903 415a2a-415a31 901->903 902->903 906 415a21-415a23 902->906 904 415a33-415a38 call 40b051 903->904 905 415a3d-415a6f call 405a6b call 402093 * 2 call 41b4ef 903->905 904->905 917 415a71-415a7d CreateThread 905->917 918 415a83-415a9e call 401fd8 * 2 call 401f09 905->918 906->903 917->918 918->583
                      APIs
                      • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414F7B
                      • WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
                      • Sleep.KERNEL32(00000000,00000002), ref: 00415AD7
                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep$ErrorLastLocalTime
                      • String ID: | $%I64u$4.9.4 Pro$8SG$C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$PSG$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                      • API String ID: 524882891-4014224463
                      • Opcode ID: 54107aa111ad19004039bd720ed66d720c16aa9a3370bff2bb61099b48e52321
                      • Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
                      • Opcode Fuzzy Hash: 54107aa111ad19004039bd720ed66d720c16aa9a3370bff2bb61099b48e52321
                      • Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040A726 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 163sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • Sleep.KERNEL32(00001388), ref: 0040A740
                        • Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                        • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                        • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                        • Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
                      • GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
                      • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                        • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                      • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                      • String ID: 8SG$8SG$hdF$pQG$pQG$PG$PG
                      • API String ID: 3795512280-4009011672
                      • Opcode ID: 1b86f33e2813ac9ce889fc21d85687f64281119cd91f5dea58d0e0166611a616
                      • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                      • Opcode Fuzzy Hash: 1b86f33e2813ac9ce889fc21d85687f64281119cd91f5dea58d0e0166611a616
                      • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1023 4048c8-4048e8 connect 1024 404a1b-404a1f 1023->1024 1025 4048ee-4048f1 1023->1025 1028 404a21-404a2f WSAGetLastError 1024->1028 1029 404a97 1024->1029 1026 404a17-404a19 1025->1026 1027 4048f7-4048fa 1025->1027 1030 404a99-404a9e 1026->1030 1031 404926-404930 call 420c60 1027->1031 1032 4048fc-404923 call 40531e call 402093 call 41b4ef 1027->1032 1028->1029 1033 404a31-404a34 1028->1033 1029->1030 1045 404941-40494e call 420e8f 1031->1045 1046 404932-40493c 1031->1046 1032->1031 1035 404a71-404a76 1033->1035 1036 404a36-404a6f call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 1033->1036 1038 404a7b-404a94 call 402093 * 2 call 41b4ef 1035->1038 1036->1029 1038->1029 1055 404950-404973 call 402093 * 2 call 41b4ef 1045->1055 1056 404987-404992 call 421a40 1045->1056 1046->1038 1085 404976-404982 call 420ca0 1055->1085 1069 4049c4-4049d1 call 420e06 1056->1069 1070 404994-4049c2 call 402093 * 2 call 41b4ef call 4210b2 1056->1070 1082 4049d3-4049f6 call 402093 * 2 call 41b4ef 1069->1082 1083 4049f9-404a14 CreateEventW * 2 1069->1083 1070->1085 1082->1083 1083->1026 1085->1029
                      APIs
                      • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                      • WSAGetLastError.WS2_32 ref: 00404A21
                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateEvent$ErrorLastLocalTimeconnect
                      • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                      • API String ID: 994465650-2151626615
                      • Opcode ID: fa9dc16280b74e41472a6a3d9ec0168782aacc7c5f81dfffe069f112667f44de
                      • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                      • Opcode Fuzzy Hash: fa9dc16280b74e41472a6a3d9ec0168782aacc7c5f81dfffe069f112667f44de
                      • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • __Init_thread_footer.LIBCMT ref: 0040AD38
                      • Sleep.KERNEL32(000001F4), ref: 0040AD43
                      • GetForegroundWindow.USER32 ref: 0040AD49
                      • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                      • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                      • Sleep.KERNEL32(000003E8), ref: 0040AE54
                        • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                      • String ID: [${ User has been idle for $ minutes }$]
                      • API String ID: 911427763-3954389425
                      • Opcode ID: 0353f8177fafd3cd9a3a1f2f9d997a593271c35778fb8a74e0f6d4403574b366
                      • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                      • Opcode Fuzzy Hash: 0353f8177fafd3cd9a3a1f2f9d997a593271c35778fb8a74e0f6d4403574b366
                      • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1178 40da34-40da59 call 401f86 1181 40db83-40dba9 call 401f04 GetLongPathNameW call 40417e 1178->1181 1182 40da5f 1178->1182 1206 40dbae-40dc1b call 40417e call 40ddd1 call 402fa5 * 2 call 401f09 * 5 1181->1206 1183 40da70-40da7e call 41b5b4 call 401f13 1182->1183 1184 40da91-40da96 1182->1184 1185 40db51-40db56 1182->1185 1186 40daa5-40daac call 41bfb7 1182->1186 1187 40da66-40da6b 1182->1187 1188 40db58-40db5d 1182->1188 1189 40da9b-40daa0 1182->1189 1190 40db6e 1182->1190 1191 40db5f-40db64 call 43c0cf 1182->1191 1209 40da83 1183->1209 1193 40db73-40db78 call 43c0cf 1184->1193 1185->1193 1207 40db00-40db4c call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1186->1207 1208 40daae-40dafe call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1186->1208 1187->1193 1188->1193 1189->1193 1190->1193 1198 40db69-40db6c 1191->1198 1203 40db79-40db7e call 409057 1193->1203 1198->1190 1198->1203 1203->1181 1207->1209 1215 40da87-40da8c call 401f09 1208->1215 1209->1215 1215->1181
                      APIs
                      • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DB9A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: LongNamePath
                      • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                      • API String ID: 82841172-425784914
                      • Opcode ID: aa652be1f29e0a7c33d43a87d655e5c017c40b6912c980d0cec9b2528de70772
                      • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                      • Opcode Fuzzy Hash: aa652be1f29e0a7c33d43a87d655e5c017c40b6912c980d0cec9b2528de70772
                      • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1295 41c3f1-41c402 1296 41c404-41c407 1295->1296 1297 41c41a-41c421 1295->1297 1298 41c410-41c418 1296->1298 1299 41c409-41c40e 1296->1299 1300 41c422-41c43b CreateFileW 1297->1300 1298->1300 1299->1300 1301 41c441-41c446 1300->1301 1302 41c43d-41c43f 1300->1302 1304 41c461-41c472 WriteFile 1301->1304 1305 41c448-41c456 SetFilePointer 1301->1305 1303 41c47f-41c484 1302->1303 1307 41c474 1304->1307 1308 41c476-41c47d FindCloseChangeNotification 1304->1308 1305->1304 1306 41c458-41c45f CloseHandle 1305->1306 1306->1302 1307->1308 1308->1303
                      APIs
                      • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C44D
                      • CloseHandle.KERNEL32(00000000), ref: 0041C459
                      • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C46A
                      • FindCloseChangeNotification.KERNEL32(00000000), ref: 0041C477
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$Close$ChangeCreateFindHandleNotificationPointerWrite
                      • String ID: hpF
                      • API String ID: 1087594267-151379673
                      • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                      • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                      • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                      • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1309 41b2c3-41b31a call 41bfb7 call 4135a6 call 401fe2 call 401fd8 call 406ae1 1320 41b35d-41b366 1309->1320 1321 41b31c-41b32b call 4135a6 1309->1321 1322 41b368-41b36d 1320->1322 1323 41b36f 1320->1323 1326 41b330-41b347 call 401fab StrToIntA 1321->1326 1325 41b374-41b37f call 40537d 1322->1325 1323->1325 1331 41b355-41b358 call 401fd8 1326->1331 1332 41b349-41b352 call 41cf69 1326->1332 1331->1320 1332->1331
                      APIs
                        • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                        • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                        • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                        • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                        • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
                      • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$CloseCurrentOpenQueryValueWow64
                      • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                      • API String ID: 782494840-2070987746
                      • Opcode ID: 8ad9b4a9319c0ce8e08ab0eef02bf2d7836f92b3666c7b1e2c0131a55ef00c42
                      • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                      • Opcode Fuzzy Hash: 8ad9b4a9319c0ce8e08ab0eef02bf2d7836f92b3666c7b1e2c0131a55ef00c42
                      • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CountEventTick
                      • String ID: !D@$NG
                      • API String ID: 180926312-2721294649
                      • Opcode ID: bbde657cec6cf086e56234726bd7e1da24d8483684ed9c2ddaf9e58a98623226
                      • Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
                      • Opcode Fuzzy Hash: bbde657cec6cf086e56234726bd7e1da24d8483684ed9c2ddaf9e58a98623226
                      • Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • CreateThread.KERNEL32(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
                      • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040A20E
                      • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040A21A
                        • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                        • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateThread$LocalTimewsprintf
                      • String ID: Offline Keylogger Started
                      • API String ID: 465354869-4114347211
                      • Opcode ID: 4ca78bee1b29c2b2eaf028355388d4b479c826490612efa5b39e4efab7956beb
                      • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                      • Opcode Fuzzy Hash: 4ca78bee1b29c2b2eaf028355388d4b479c826490612efa5b39e4efab7956beb
                      • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                      • RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137A6
                      • RegCloseKey.KERNEL32(?,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137B1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseCreateValue
                      • String ID: pth_unenc
                      • API String ID: 1818849710-4028850238
                      • Opcode ID: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                      • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                      • Opcode Fuzzy Hash: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                      • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                      • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                      • FindCloseChangeNotification.KERNEL32(00000000,?,00000000), ref: 00404DDB
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
                      • String ID:
                      • API String ID: 2579639479-0
                      • Opcode ID: ceb3114af3113f3e51a28b58c6f931136764174e6725d3240f6aeee7034d4dad
                      • Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
                      • Opcode Fuzzy Hash: ceb3114af3113f3e51a28b58c6f931136764174e6725d3240f6aeee7034d4dad
                      • Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                      • GetLastError.KERNEL32 ref: 0040D083
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateErrorLastMutex
                      • String ID: SG
                      • API String ID: 1925916568-3189917014
                      • Opcode ID: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                      • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                      • Opcode Fuzzy Hash: 801f4fab6620dad4192684c1acb97daf4a6912092659b95b34e50827bd09c0e4
                      • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                      • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                      • RegCloseKey.KERNEL32(?), ref: 004135F2
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID:
                      • API String ID: 3677997916-0
                      • Opcode ID: 8a165f7f556a11d3abfab9d86b37d0f406e8581ec1eb6973fd31e646fb445763
                      • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                      • Opcode Fuzzy Hash: 8a165f7f556a11d3abfab9d86b37d0f406e8581ec1eb6973fd31e646fb445763
                      • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                      • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                      • RegCloseKey.KERNEL32(00000000), ref: 00413738
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID:
                      • API String ID: 3677997916-0
                      • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                      • Instruction ID: 3f277cad741e4f631881634228dfc272d65c1146f3ef4f3c344e6cfa7cb73972
                      • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                      • Instruction Fuzzy Hash: 1C018BB1400229FBDF216FA1DC04DEB3F38EF05751F004065BE08621A1D6358AA5DBA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
                      • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                      • RegCloseKey.KERNEL32(?), ref: 00413592
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID:
                      • API String ID: 3677997916-0
                      • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                      • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                      • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                      • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C19C,00466C48), ref: 00413516
                      • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C19C,00466C48), ref: 0041352A
                      • RegCloseKey.KERNEL32(?,?,?,0040C19C,00466C48), ref: 00413535
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID:
                      • API String ID: 3677997916-0
                      • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                      • Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
                      • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                      • Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                      • RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                      • RegCloseKey.KERNEL32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseCreateValue
                      • String ID:
                      • API String ID: 1818849710-0
                      • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                      • Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
                      • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                      • Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: _wcslen
                      • String ID: pQG
                      • API String ID: 176396367-3769108836
                      • Opcode ID: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                      • Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
                      • Opcode Fuzzy Hash: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                      • Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                      Download Yara Rule
                      APIs
                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041B7CA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: GlobalMemoryStatus
                      • String ID: @
                      • API String ID: 1890195054-2766056989
                      • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                      • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                      • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                      • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                      Download Yara Rule
                      APIs
                      • socket.WS2_32(?,00000001,00000006), ref: 00404852
                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                        • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateEventStartupsocket
                      • String ID:
                      • API String ID: 1953588214-0
                      • Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                      • Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
                      • Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                      • Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32 ref: 0041BAB8
                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BACB
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Window$ForegroundText
                      • String ID:
                      • API String ID: 29597999-0
                      • Opcode ID: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                      • Instruction ID: 4615795adb372a642f3ed3ff298372a60f443b3219566b47796808df054d69ed
                      • Opcode Fuzzy Hash: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                      • Instruction Fuzzy Hash: CCE0D875A00328A7E720A7A49C4EFE5776CEB08701F0000EEBA18D71C2EAB4AD04C7E4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00414EE9 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                      Download Yara Rule
                      APIs
                      • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,00415188,00000000,00000001), ref: 00414F0B
                      • WSASetLastError.WS2_32(00000000), ref: 00414F10
                        • Part of subcall function 00414D86: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                        • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E17
                        • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                        • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                        • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E76
                        • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                        • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                        • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                      • String ID:
                      • API String ID: 1170566393-0
                      • Opcode ID: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                      • Instruction ID: cadd3d9b0d0923a9352550a0b766658ea18523973fceddbfefdc7c35282954d4
                      • Opcode Fuzzy Hash: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                      • Instruction Fuzzy Hash: 9ED017322015316BD320A769AC01AFBAA9EDBD7771B16003BFA08D3210D6949C8282E8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocateHeap
                      • String ID:
                      • API String ID: 1279760036-0
                      • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                      • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                      • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                      • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                      Download Yara Rule
                      APIs
                      • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Startup
                      • String ID:
                      • API String ID: 724789610-0
                      • Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                      • Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
                      • Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                      • Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00426CC8 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: send
                      • String ID:
                      • API String ID: 2809346765-0
                      • Opcode ID: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
                      • Instruction ID: 80dceff54fd7c7607e374e8a405dba3f032bb15cdc3f4a53630576a73fa931ff
                      • Opcode Fuzzy Hash: a64cf630b3b4fcbf92e6cf8d3c010959396a6b24f5439efeece66edae75e3506
                      • Instruction Fuzzy Hash: 79B09279108202FFCB150B60CD0887A7EAAABC8381F008A2CB187411B1C636C852AB26
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00426CB1 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: recv
                      • String ID:
                      • API String ID: 1507349165-0
                      • Opcode ID: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
                      • Instruction ID: 54da5cb0358175ea3eef87e0ba5f02fe09cc36e19498aa822303b7a5c5cf0de8
                      • Opcode Fuzzy Hash: 12f17b9eb2b05ccee17ecde8d051cd75af37e2c2e0a2002d53484fbbe037e517
                      • Instruction Fuzzy Hash: 38B09B75108302FFC6150750CC0486A7D66DBC8351B00481C714641170C736C8519725
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Non-executed Functions

                      Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON
                      Download Yara Rule
                      APIs
                      • SetEvent.KERNEL32(?,?), ref: 00407CB9
                      • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
                      • DeleteFileW.KERNEL32(00000000), ref: 00407DA9
                        • Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                        • Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                        • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                        • Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                        • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                        • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                        • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
                      • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00408278
                      • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
                      • DeleteFileA.KERNEL32(?), ref: 00408652
                        • Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
                        • Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                        • Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                        • Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                      • Sleep.KERNEL32(000007D0), ref: 004086F8
                      • StrToIntA.SHLWAPI(00000000,00000000), ref: 0040873A
                        • Part of subcall function 0041C9E2: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                      • String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                      • API String ID: 1067849700-181434739
                      • Opcode ID: a70f240359ba1a68c472f995740389da0d47dfedb64d48b38e90ed404f3a4297
                      • Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
                      • Opcode Fuzzy Hash: a70f240359ba1a68c472f995740389da0d47dfedb64d48b38e90ed404f3a4297
                      • Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                      Download Yara Rule
                      APIs
                      • __Init_thread_footer.LIBCMT ref: 004056E6
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      • __Init_thread_footer.LIBCMT ref: 00405723
                      • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
                      • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                      • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                      • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                      • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                        • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660C0,00000062,004660A4), ref: 004059E4
                      • Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
                      • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                      • CloseHandle.KERNEL32 ref: 00405A23
                      • CloseHandle.KERNEL32 ref: 00405A2B
                      • CloseHandle.KERNEL32 ref: 00405A3D
                      • CloseHandle.KERNEL32 ref: 00405A45
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                      • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                      • API String ID: 2994406822-18413064
                      • Opcode ID: 69868f19d4afdba9b8a942f92bd1d450b68e18425ce702031f45d70d79e74566
                      • Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
                      • Opcode Fuzzy Hash: 69868f19d4afdba9b8a942f92bd1d450b68e18425ce702031f45d70d79e74566
                      • Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcessId.KERNEL32 ref: 00412106
                        • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                        • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                        • Part of subcall function 00413877: RegCloseKey.KERNEL32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                      • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412146
                      • CloseHandle.KERNEL32(00000000), ref: 00412155
                      • CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
                      • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                      • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                      • API String ID: 3018269243-13974260
                      • Opcode ID: a6f06d6d975461e53999e87d355abb972fdf6fcb2e3af8b957eb56666153e528
                      • Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
                      • Opcode Fuzzy Hash: a6f06d6d975461e53999e87d355abb972fdf6fcb2e3af8b957eb56666153e528
                      • Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
                      • FindClose.KERNEL32(00000000), ref: 0040BBC9
                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
                      • FindClose.KERNEL32(00000000), ref: 0040BD12
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$CloseFile$FirstNext
                      • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                      • API String ID: 1164774033-3681987949
                      • Opcode ID: f67c7b742204fdc5d77f255c0325554f1dfd1f76d2e9b6ee77996e0de3cbfab6
                      • Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
                      • Opcode Fuzzy Hash: f67c7b742204fdc5d77f255c0325554f1dfd1f76d2e9b6ee77996e0de3cbfab6
                      • Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004168C1 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • OpenClipboard.USER32 ref: 004168C2
                      • EmptyClipboard.USER32 ref: 004168D0
                      • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
                      • GlobalLock.KERNEL32(00000000), ref: 004168F9
                      • GlobalUnlock.KERNEL32(00000000), ref: 0041692F
                      • SetClipboardData.USER32(0000000D,00000000), ref: 00416938
                      • CloseClipboard.USER32 ref: 00416955
                      • OpenClipboard.USER32 ref: 0041695C
                      • GetClipboardData.USER32(0000000D), ref: 0041696C
                      • GlobalLock.KERNEL32(00000000), ref: 00416975
                      • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                      • CloseClipboard.USER32 ref: 00416984
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                      • String ID: !D@$hdF
                      • API String ID: 3520204547-3475379602
                      • Opcode ID: 251126a187cec31cd5273b3430a1e3e85d5a02b92eef6e9a9353f0c96c5fadc2
                      • Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
                      • Opcode Fuzzy Hash: 251126a187cec31cd5273b3430a1e3e85d5a02b92eef6e9a9353f0c96c5fadc2
                      • Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040F474 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 210processCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
                      • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F563
                        • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                        • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                      • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F66E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                      • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$hdF$hdF$ieinstal.exe$ielowutil.exe
                      • API String ID: 3756808967-3633479162
                      • Opcode ID: 5a2294e59db7c27b7807dc3d136ce10c94905aa7ef5ac5238dac54e749f80625
                      • Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
                      • Opcode Fuzzy Hash: 5a2294e59db7c27b7807dc3d136ce10c94905aa7ef5ac5238dac54e749f80625
                      • Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
                      • FindClose.KERNEL32(00000000), ref: 0040BDC9
                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
                      • FindClose.KERNEL32(00000000), ref: 0040BEAF
                      • FindClose.KERNEL32(00000000), ref: 0040BED0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$Close$File$FirstNext
                      • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                      • API String ID: 3527384056-432212279
                      • Opcode ID: 5cc50f8fd21b53155f4fa546f2c7f68f14a55f9ccce602792c20db31142d2112
                      • Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
                      • Opcode Fuzzy Hash: 5cc50f8fd21b53155f4fa546f2c7f68f14a55f9ccce602792c20db31142d2112
                      • Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004132D2 Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
                      • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
                      • GetFileSize.KERNEL32(?,00000000), ref: 00413432
                      • UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
                      • CloseHandle.KERNEL32(00000000), ref: 0041345F
                      • CloseHandle.KERNEL32(?), ref: 00413465
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                      • String ID:
                      • API String ID: 297527592-0
                      • Opcode ID: 67f9dd60809dfe48e1f8f3f45ef8fa7be9d816a9085d556e792f524ebedf389a
                      • Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
                      • Opcode Fuzzy Hash: 67f9dd60809dfe48e1f8f3f45ef8fa7be9d816a9085d556e792f524ebedf389a
                      • Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 0$1$2$3$4$5$6$7$VG
                      • API String ID: 0-1861860590
                      • Opcode ID: 41b7ed3079968531247989beadbe1f0bf299f88a528c0936b597c9f8fef39dcf
                      • Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
                      • Opcode Fuzzy Hash: 41b7ed3079968531247989beadbe1f0bf299f88a528c0936b597c9f8fef39dcf
                      • Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 00407521
                      • CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Object_wcslen
                      • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                      • API String ID: 240030777-3166923314
                      • Opcode ID: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                      • Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
                      • Opcode Fuzzy Hash: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
                      • Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
                      • GetLastError.KERNEL32 ref: 0041A7BB
                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: EnumServicesStatus$ErrorLastManagerOpen
                      • String ID:
                      • API String ID: 3587775597-0
                      • Opcode ID: cb26237d32f02a98d25526e3156964c9bed4d8502920b032fc5f989f1b3ceaa3
                      • Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
                      • Opcode Fuzzy Hash: cb26237d32f02a98d25526e3156964c9bed4d8502920b032fc5f989f1b3ceaa3
                      • Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00419AF5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 245fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
                      • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17
                        • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$Find$CreateFirstNext
                      • String ID: (eF$8SG$PXG$PXG$NG$PG
                      • API String ID: 341183262-875132146
                      • Opcode ID: fa513e1650efbdfc7118e76635ac31e947360e9aed22bae7ace8eedab739837c
                      • Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
                      • Opcode Fuzzy Hash: fa513e1650efbdfc7118e76635ac31e947360e9aed22bae7ace8eedab739837c
                      • Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                        • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                      • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
                      • IsValidCodePage.KERNEL32(00000000), ref: 00452777
                      • IsValidLocale.KERNEL32(?,00000001), ref: 00452786
                      • GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
                      • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                      • String ID: lJD$lJD$lJD
                      • API String ID: 745075371-479184356
                      • Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                      • Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
                      • Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
                      • Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
                      • FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
                      • FindClose.KERNEL32(00000000), ref: 0040C47D
                      • FindClose.KERNEL32(00000000), ref: 0040C4A8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$CloseFile$FirstNext
                      • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                      • API String ID: 1164774033-405221262
                      • Opcode ID: 778d0e55463469e3bd3f63c6ac431236a83d77e410adc205391174306d863ebc
                      • Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
                      • Opcode Fuzzy Hash: 778d0e55463469e3bd3f63c6ac431236a83d77e410adc205391174306d863ebc
                      • Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C38E
                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C39B
                        • Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
                      • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3BC
                      • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
                      • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
                      • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3E2
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                      • String ID:
                      • API String ID: 2341273852-0
                      • Opcode ID: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                      • Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
                      • Opcode Fuzzy Hash: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
                      • Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A416
                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                      • GetKeyboardLayout.USER32(00000000), ref: 0040A429
                      • GetKeyState.USER32(00000010), ref: 0040A433
                      • GetKeyboardState.USER32(?,?,004750F0), ref: 0040A43E
                      • ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A461
                      • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                      • ToUnicodeEx.USER32(00475144,?,?,?,00000010,00000000,00000000), ref: 0040A4FA
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                      • String ID:
                      • API String ID: 1888522110-0
                      • Opcode ID: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                      • Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
                      • Opcode Fuzzy Hash: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
                      • Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041409D
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140A9
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041426A
                      • GetProcAddress.KERNEL32(00000000), ref: 00414271
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressCloseCreateLibraryLoadProcsend
                      • String ID: SHDeleteKeyW$Shlwapi.dll
                      • API String ID: 2127411465-314212984
                      • Opcode ID: b4893ef033a9ee04608ed919ae18d9c5a0f90bfd274c4fcb927e554b57608227
                      • Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
                      • Opcode Fuzzy Hash: b4893ef033a9ee04608ed919ae18d9c5a0f90bfd274c4fcb927e554b57608227
                      • Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00449212
                      • _free.LIBCMT ref: 00449236
                      • _free.LIBCMT ref: 004493BD
                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                      • _free.LIBCMT ref: 00449589
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                      • String ID:
                      • API String ID: 314583886-0
                      • Opcode ID: 9a4a29a95fdf449062c48f6955f9d0fad93806c2e8219aa4180f52e5cd87d69f
                      • Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
                      • Opcode Fuzzy Hash: 9a4a29a95fdf449062c48f6955f9d0fad93806c2e8219aa4180f52e5cd87d69f
                      • Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00406EB0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222filenetworkCOMMON
                      Download Yara Rule
                      APIs
                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
                      • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0
                      Strings
                      • C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, xrefs: 00407007, 0040712F
                      • aF, xrefs: 00406FE0
                      • aF, xrefs: 004070F1
                      • open, xrefs: 00406FB6
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: DownloadExecuteFileShell
                      • String ID: aF$ aF$C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe$open
                      • API String ID: 2825088817-1319658641
                      • Opcode ID: 5d4e3c66d3cb5693cf17a53ba45bcfd5374de60b1c583c21400b4fe5e30b2e29
                      • Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
                      • Opcode Fuzzy Hash: 5d4e3c66d3cb5693cf17a53ba45bcfd5374de60b1c583c21400b4fe5e30b2e29
                      • Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040880C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00408811
                      • FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                      • String ID: hdF
                      • API String ID: 1771804793-665520524
                      • Opcode ID: 390627094965f1798e55e015da18b83244ade312cf37f9ca5738f400f7c59cf5
                      • Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
                      • Opcode Fuzzy Hash: 390627094965f1798e55e015da18b83244ade312cf37f9ca5738f400f7c59cf5
                      • Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                        • Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                        • Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                        • Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                        • Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D
                      • ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
                      • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 0041686B
                      • GetProcAddress.KERNEL32(00000000), ref: 00416872
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                      • String ID: !D@$PowrProf.dll$SetSuspendState
                      • API String ID: 1589313981-2876530381
                      • Opcode ID: 8ce191c967a42c787c9f60fc832cecced2ee4e9844afd20766cc7ce476c8f96f
                      • Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
                      • Opcode Fuzzy Hash: 8ce191c967a42c787c9f60fc832cecced2ee4e9844afd20766cc7ce476c8f96f
                      • Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
                      • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
                      • GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: InfoLocale
                      • String ID: ACP$OCP$['E
                      • API String ID: 2299586839-2532616801
                      • Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                      • Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
                      • Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
                      • Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
                      • GetLastError.KERNEL32 ref: 0040BA58
                      Strings
                      • [Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
                      • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19
                      • UserProfile, xrefs: 0040BA1E
                      • [Chrome StoredLogins not found], xrefs: 0040BA72
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: DeleteErrorFileLast
                      • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      • API String ID: 2018770650-1062637481
                      • Opcode ID: 7df5978969732fb09709de34775d6ce1a623c26fc4145e618767f27fcf07f662
                      • Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
                      • Opcode Fuzzy Hash: 7df5978969732fb09709de34775d6ce1a623c26fc4145e618767f27fcf07f662
                      • Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
                      • OpenProcessToken.ADVAPI32(00000000), ref: 00417966
                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
                      • GetLastError.KERNEL32 ref: 0041799D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                      • String ID: SeShutdownPrivilege
                      • API String ID: 3534403312-3733053543
                      • Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                      • Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
                      • Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
                      • Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00454159 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: __floor_pentium4
                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                      • API String ID: 4168288129-2761157908
                      • Opcode ID: df2971786bbf8e496eef17942e665dfb4286cfe499c735b5cf4645abbbd9631d
                      • Instruction ID: adbfc57a6ba9eb8fd61ef87ee4788d0f45260f030e03b769905361500cdb2a19
                      • Opcode Fuzzy Hash: df2971786bbf8e496eef17942e665dfb4286cfe499c735b5cf4645abbbd9631d
                      • Instruction Fuzzy Hash: EBC26E71E046288FDB25CE28DD407EAB3B5EB85306F1541EBD80DE7241E778AE898F45
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00409258
                        • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
                      • FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
                      • FindClose.KERNEL32(00000000), ref: 004093C1
                        • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                        • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                        • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                      • FindClose.KERNEL32(00000000), ref: 004095B9
                        • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                        • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                      • String ID:
                      • API String ID: 1824512719-0
                      • Opcode ID: 66e5523d14644c4e919d6d35766acf297be83262445cdd51cc4dde8fcd070622
                      • Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
                      • Opcode Fuzzy Hash: 66e5523d14644c4e919d6d35766acf297be83262445cdd51cc4dde8fcd070622
                      • Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
                      • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
                      • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
                      • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
                      • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
                      • CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Service$CloseHandle$Open$ManagerStart
                      • String ID:
                      • API String ID: 276877138-0
                      • Opcode ID: 38ff3efd75794608fc7efc6ab14161dff6b0215efc9cafdd27725548e5e732cb
                      • Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
                      • Opcode Fuzzy Hash: 38ff3efd75794608fc7efc6ab14161dff6b0215efc9cafdd27725548e5e732cb
                      • Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00451CD8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
                      • _wcschr.LIBVCRUNTIME ref: 00451E4A
                      • _wcschr.LIBVCRUNTIME ref: 00451E58
                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                      • String ID: sJD
                      • API String ID: 4212172061-3536923933
                      • Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                      • Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
                      • Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
                      • Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040783C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
                      • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileFind$FirstNextsend
                      • String ID: (eF$XPG$XPG
                      • API String ID: 4113138495-1496965907
                      • Opcode ID: 3a05d701df8f0ff664f5bc8d802d50a1ff01a44446ce82f6d5a8e89048115d4e
                      • Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
                      • Opcode Fuzzy Hash: 3a05d701df8f0ff664f5bc8d802d50a1ff01a44446ce82f6d5a8e89048115d4e
                      • Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                      Download Yara Rule
                      APIs
                      • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B4B9
                      • LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
                      • LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
                      • SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Resource$FindLoadLockSizeof
                      • String ID: SETTINGS
                      • API String ID: 3473537107-594951305
                      • Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                      • Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
                      • Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
                      • Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 0040966A
                      • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
                      • FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
                      • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Find$File$CloseFirstH_prologNext
                      • String ID:
                      • API String ID: 1157919129-0
                      • Opcode ID: 8c864b4c8a0bf1e215c385589a07c12357ec87fb3bfb998b32f11afd7bc615e9
                      • Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
                      • Opcode Fuzzy Hash: 8c864b4c8a0bf1e215c385589a07c12357ec87fb3bfb998b32f11afd7bc615e9
                      • Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                      Download Yara Rule
                      APIs
                      • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CAD7
                        • Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                        • Part of subcall function 0041376F: RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137A6
                        • Part of subcall function 0041376F: RegCloseKey.KERNEL32(?,?,?,0040F853,004674B8,4.9.4 Pro), ref: 004137B1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseCreateInfoParametersSystemValue
                      • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                      • API String ID: 4127273184-3576401099
                      • Opcode ID: f2c43ad2b54eca36b498e515dc1d07e136ae504e1b99f40133731ebf13c7e4dd
                      • Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
                      • Opcode Fuzzy Hash: f2c43ad2b54eca36b498e515dc1d07e136ae504e1b99f40133731ebf13c7e4dd
                      • Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                        • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorInfoLastLocale$_free$_abort
                      • String ID:
                      • API String ID: 2829624132-0
                      • Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                      • Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
                      • Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
                      • Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32 ref: 0043BC1A
                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC24
                      • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                      • String ID:
                      • API String ID: 3906539128-0
                      • Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                      • Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
                      • Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
                      • Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004432B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(?,?,0044328B,?), ref: 004432D6
                      • TerminateProcess.KERNEL32(00000000,?,0044328B,?), ref: 004432DD
                      • ExitProcess.KERNEL32 ref: 004432EF
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$CurrentExitTerminate
                      • String ID:
                      • API String ID: 1703294689-0
                      • Opcode ID: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                      • Instruction ID: 3be6e6b92543006147ef5d7b2afd166c5ab2c5ffe072a920593a5ac20c7500e8
                      • Opcode Fuzzy Hash: fda3935ef75a9da2a187ce407300f3730e4ebfece79a37869d002a8a215f2f15
                      • Instruction Fuzzy Hash: D6E0BF31400244FBDF126F55DD0AA993B69FB40757F044469F90946232CB7ADE42CA98
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                      Download Yara Rule
                      APIs
                      • OpenClipboard.USER32(00000000), ref: 0040B711
                      • GetClipboardData.USER32(0000000D), ref: 0040B71D
                      • CloseClipboard.USER32 ref: 0040B725
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Clipboard$CloseDataOpen
                      • String ID:
                      • API String ID: 2058664381-0
                      • Opcode ID: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                      • Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
                      • Opcode Fuzzy Hash: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
                      • Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041BB09 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                      Download Yara Rule
                      APIs
                      • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00415FFF,00000000), ref: 0041BB14
                      • NtSuspendProcess.NTDLL(00000000), ref: 0041BB21
                      • CloseHandle.KERNEL32(00000000,?,?,00415FFF,00000000), ref: 0041BB2A
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$CloseHandleOpenSuspend
                      • String ID:
                      • API String ID: 1999457699-0
                      • Opcode ID: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
                      • Instruction ID: bc08a5c74f7a636e8823ed9fed2a710289fdff4cb0149baf3e3f1c1580a6a9c0
                      • Opcode Fuzzy Hash: 65307f06ae4da2db5a73601f3478dcd91fa25f5db04ba40a4c100ff3b6d3014e
                      • Instruction Fuzzy Hash: 96D05E36204231E3C32017AA7C0CE97AD68EFC5AA2705412AF804C26649B20CC01C6E8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041BB35 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                      Download Yara Rule
                      APIs
                      • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,00416024,00000000), ref: 0041BB40
                      • NtResumeProcess.NTDLL(00000000), ref: 0041BB4D
                      • CloseHandle.KERNEL32(00000000,?,?,00416024,00000000), ref: 0041BB56
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$CloseHandleOpenResume
                      • String ID:
                      • API String ID: 3614150671-0
                      • Opcode ID: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
                      • Instruction ID: 907c56f48a3137ad3e5a70bb4b43f8813844e3fa30c0a1486a2e097c633c30d6
                      • Opcode Fuzzy Hash: 2a3aa994b22e7efaa36e689b3453aa0ec17d897c0eb19943e791a895e5fd105b
                      • Instruction Fuzzy Hash: B8D05E36104121E3C220176A7C0CD97AE69EBC5AA2705412AF904C32619B20CC01C6F4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: .
                      • API String ID: 0-248832578
                      • Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                      • Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
                      • Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
                      • Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                      • EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                      • String ID: lJD
                      • API String ID: 1084509184-3316369744
                      • Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                      • Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
                      • Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
                      • Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                      • EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                      • String ID: lJD
                      • API String ID: 1084509184-3316369744
                      • Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                      • Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
                      • Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
                      • Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: InfoLocale
                      • String ID: GetLocaleInfoEx
                      • API String ID: 2299586839-2904428671
                      • Opcode ID: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                      • Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
                      • Opcode Fuzzy Hash: 2d8ab5e4c08eb423885d267f31dc3d21c73ce0c4a0b39471804a4927225e8e03
                      • Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004461F0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                      • Instruction ID: a89a86a7c059f2ce1b75669fee0c4fca3fa64158462c9470c468cddaecc71d09
                      • Opcode Fuzzy Hash: 3af37b45e0065d2a9e4b628ca9eba3ad08e75ba8402ba2670485150a8c7006c8
                      • Instruction Fuzzy Hash: FB025D71E002199BEF14CFA9D8806AEBBF1FF49324F26416AD819E7344D734AE41CB85
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                      • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$FreeProcess
                      • String ID:
                      • API String ID: 3859560861-0
                      • Opcode ID: 9f2d401c641a2cfb93471127350fb786a64fc0260f1ce6cfe78b140b0d52c749
                      • Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
                      • Opcode Fuzzy Hash: 9f2d401c641a2cfb93471127350fb786a64fc0260f1ce6cfe78b140b0d52c749
                      • Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0045332B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00453326,?,?,00000008,?,?,004561DD,00000000), ref: 00453558
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionRaise
                      • String ID:
                      • API String ID: 3997070919-0
                      • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                      • Instruction ID: ef9cfcefdd20db456822e604066c987cb5d00f1002a97bdaec88d2537339d9b1
                      • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                      • Instruction Fuzzy Hash: 40B16C311106089FD715CF28C48AB657BE0FF053A6F258659EC9ACF3A2C739DA96CB44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00433946 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 0
                      • API String ID: 0-4108050209
                      • Opcode ID: 1f1efbfc6b98b7ff63776831a751ef1758ce1d1abb45475947e68a2c5420a09b
                      • Instruction ID: aa2317f629b7fe23c078ec1ce6c5eb8ae6c7f7e5ba67e2b2e47e92e01b9ebfde
                      • Opcode Fuzzy Hash: 1f1efbfc6b98b7ff63776831a751ef1758ce1d1abb45475947e68a2c5420a09b
                      • Instruction Fuzzy Hash: A4126F32B083008BD714EF6AD851A1FB3E2BFCC758F15892EF585A7391DA34E9058B46
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00434C52 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                      Download Yara Rule
                      APIs
                      • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434C6B
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: FeaturePresentProcessor
                      • String ID:
                      • API String ID: 2325560087-0
                      • Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                      • Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
                      • Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
                      • Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                        • Part of subcall function 00448215: _free.LIBCMT ref: 00448274
                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$_free$InfoLocale_abort
                      • String ID:
                      • API String ID: 1663032902-0
                      • Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                      • Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
                      • Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
                      • Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$InfoLocale_abort_free
                      • String ID:
                      • API String ID: 2692324296-0
                      • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                      • Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
                      • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                      • Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897
                      • EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalEnterEnumLocalesSectionSystem
                      • String ID:
                      • API String ID: 1272433827-0
                      • Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                      • Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
                      • Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
                      • Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                      • EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                      • String ID:
                      • API String ID: 1084509184-0
                      • Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                      • Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
                      • Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
                      • Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(Function_00034B53,0043487A), ref: 00434B4C
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                      • Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
                      • Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
                      • Instruction Fuzzy Hash:
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0043E0CC Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 0
                      • API String ID: 0-4108050209
                      • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                      • Instruction ID: cdd912994a32e16cda9accbda93f1ea0618352901e275441ec4d65c4c105c2b3
                      • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                      • Instruction Fuzzy Hash: 9C514771603648A7DF3489AB88567BF63899B0E344F18394BD882C73C3C62DED02975E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00427A46 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: @
                      • API String ID: 0-2766056989
                      • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                      • Instruction ID: e4f6ca204f58efd2523fb0dbef6dba8f744ce0bfcff40a2940ff04dc0a880f4e
                      • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                      • Instruction Fuzzy Hash: A841FB75A187558BC340CF29C58061BFBE1FFD8318F655A1EF889A3350D375E9428B86
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0044D9C9 Relevance: .6, Instructions: 637COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5da51411db3bde963f465f05a0d8b0dbce9b500299d5c90620e57fed4b77625f
                      • Instruction ID: ecf94096385373c2e9f2c5c276bef480e2dc0267d4a411ba40625ecd8b408152
                      • Opcode Fuzzy Hash: 5da51411db3bde963f465f05a0d8b0dbce9b500299d5c90620e57fed4b77625f
                      • Instruction Fuzzy Hash: 7F323831D69F014DE7239A35C862336A289BFB73C5F15D737F816B5AAAEB28C4834105
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041F0FA Relevance: .6, Instructions: 598COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0a4864b27d88de382483843fe1db909133c688b67c113739af0c1ea374bb11c7
                      • Instruction ID: 709358690f7fb2d2e3012b2358c769367bf3ff6314f01af24d3ecfcd65fe7181
                      • Opcode Fuzzy Hash: 0a4864b27d88de382483843fe1db909133c688b67c113739af0c1ea374bb11c7
                      • Instruction Fuzzy Hash: 443290716087459BD715DE28C4807AAB7E1BF84318F044A3EF89587392D778DD8BCB8A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0042739D Relevance: .4, Instructions: 435COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f41a5a7a899c2c5ffe641ad63b885c2af5ab7072673c771f4bdde5d7e27c8b4e
                      • Instruction ID: c5d71c01a3a4c2ba568a1e95f45065819b1df519d68335ab1a8a94a68da0c1ef
                      • Opcode Fuzzy Hash: f41a5a7a899c2c5ffe641ad63b885c2af5ab7072673c771f4bdde5d7e27c8b4e
                      • Instruction Fuzzy Hash: 1002BFB17146519BC318CF2EEC8053AB7E1BB8D301745863EE495C7795EB34E922CB98
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00426E0E Relevance: .4, Instructions: 383COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ab468733ab78125ba0c04a3e06e770d81fa6048f74458c9db32780a1fb096c70
                      • Instruction ID: 4a18c9c21abf6ab3d0e9afb34562907cd60dbb70f6b305f111ae620774dcdf5c
                      • Opcode Fuzzy Hash: ab468733ab78125ba0c04a3e06e770d81fa6048f74458c9db32780a1fb096c70
                      • Instruction Fuzzy Hash: 42F18C716142559FC304DF1EE89182BB3E1FB89301B450A2EF5C2C7391DB79EA16CB9A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00437D33 Relevance: .3, Instructions: 345COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                      • Instruction ID: b3ba5b81110409d95a5723b53b6c8744913893e641e186edab39e166e1bc966b
                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                      • Instruction Fuzzy Hash: 7DC1B1723091930ADF2D4A3D853453FFBA15AA57B171A275FE8F2CB2C1EE18C524D524
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00438168 Relevance: .3, Instructions: 341COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                      • Instruction ID: 7f684bb0481695d58232a2b0d47c85f4cbd32b92c5f53758fc2a28b9861b6fac
                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                      • Instruction Fuzzy Hash: EAC1C5723092930ADF2D463D853453FFBA15AA57B171A275EE8F2CB2C5FE28C524C614
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004378FE Relevance: .3, Instructions: 331COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                      • Instruction ID: b4bbf9256ac03f5d23606f900b1ff113549fac5ad7a5b3908127750d008d8003
                      • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                      • Instruction Fuzzy Hash: FDC1B0B230D1930ADB3D4A3D953453FBBA15AA63B171A275ED8F2CB2C1FE18C524D624
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004374E6 Relevance: .3, Instructions: 323COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                      • Instruction ID: c0cc860fb011aaa8bec1e183ca1ba44e4399d72b3d9d4532b0ef978257cdf629
                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                      • Instruction Fuzzy Hash: 08C1A0B230D1930ADB3D463D853853FBBA15AA67B171A276ED8F2CB2C1FE18C524D614
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041DB62 Relevance: .3, Instructions: 277COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e161149dfcfde14b0cd5a29c2f169de042b37c027391bcdbe844d1d06cbdb277
                      • Instruction ID: 79373b44a76dcf5e8091c0b891bec819a00bcae964dee749e010b71610d2b526
                      • Opcode Fuzzy Hash: e161149dfcfde14b0cd5a29c2f169de042b37c027391bcdbe844d1d06cbdb277
                      • Instruction Fuzzy Hash: F7B1A5795142998ACF05EF28C4913F63BA1EF6A300F4851B9EC9DCF757D2398506EB24
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0043E2FB Relevance: .2, Instructions: 237COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 912b91bcee59c5ac73c124bb0811566e2b40e5b970351445414cbd9e4b54fd2a
                      • Instruction ID: 9176630f27626b4b14444871c43cfb7a364794bde640040d1d9abeeee83df0d0
                      • Opcode Fuzzy Hash: 912b91bcee59c5ac73c124bb0811566e2b40e5b970351445414cbd9e4b54fd2a
                      • Instruction Fuzzy Hash: E1614531602709E6EF349A2B48917BF2395AB1D304F58341BED42DB3C1D55DED428A1E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0043E558 Relevance: .2, Instructions: 237COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c6b1042308d2b4dc2ea763a701fecb4f21cb89e1eeb5fcb47da04713de909616
                      • Instruction ID: c8a25274eb6ace22fd939f207aba0bb726f52b15d0dfb3f1b2e2615f3a586ecc
                      • Opcode Fuzzy Hash: c6b1042308d2b4dc2ea763a701fecb4f21cb89e1eeb5fcb47da04713de909616
                      • Instruction Fuzzy Hash: B2619C71602609A6DA34496B8893BBF6394EB6D308F94341BE443DB3C1E61DEC43875E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0043DE9D Relevance: .2, Instructions: 214COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                      • Instruction ID: b97fed3bff06dc01e1c808345b9e1576e5435f58d5e0cb17a963d6e43aa39459
                      • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                      • Instruction Fuzzy Hash: C8516A21E01A4496DB38892964D67BF67A99B1E304F18390FE443CB7C2C64DED06C35E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00427BAF Relevance: .2, Instructions: 187COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 628fd2d23e3b9e8eddda9414cca102861cb20c2ab21f2c1c82199380d97b1b87
                      • Instruction ID: 96b5c22f40dc969dc1399d427f9382315b517a9523814fa291cced01a0c32d8b
                      • Opcode Fuzzy Hash: 628fd2d23e3b9e8eddda9414cca102861cb20c2ab21f2c1c82199380d97b1b87
                      • Instruction Fuzzy Hash: 5B617E72A083059FC304DF35D581A5FB7E5AFCC318F510E2EF499D6151EA35EA088B86
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00438770 Relevance: .1, Instructions: 76COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                      • Instruction ID: 78f0f7b5b7642c22d8ee35c169576c4e0068381375f86828a5140fd971b96714
                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                      • Instruction Fuzzy Hash: 9311E6BB24034143D6088A2DCCB85B7E797EADD321F7D626FF0424B758DB2AA9459608
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00418E76 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
                      • CreateCompatibleDC.GDI32(00000000), ref: 00418E9D
                        • Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355
                      • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
                      • DeleteDC.GDI32(00000000), ref: 00418F2A
                      • DeleteDC.GDI32(00000000), ref: 00418F2D
                      • DeleteObject.GDI32(00000000), ref: 00418F30
                      • SelectObject.GDI32(00000000,00000000), ref: 00418F51
                      • DeleteDC.GDI32(00000000), ref: 00418F62
                      • DeleteDC.GDI32(00000000), ref: 00418F65
                      • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
                      • GetCursorInfo.USER32(?), ref: 00418FA7
                      • GetIconInfo.USER32(?,?), ref: 00418FBD
                      • DeleteObject.GDI32(?), ref: 00418FEC
                      • DeleteObject.GDI32(?), ref: 00418FF9
                      • DrawIcon.USER32(00000000,?,?,?), ref: 00419006
                      • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
                      • GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
                      • LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
                      • GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
                      • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
                      • DeleteDC.GDI32(?), ref: 0041917C
                      • DeleteDC.GDI32(00000000), ref: 0041917F
                      • DeleteObject.GDI32(00000000), ref: 00419182
                      • GlobalFree.KERNEL32(?), ref: 0041918D
                      • DeleteObject.GDI32(00000000), ref: 00419241
                      • GlobalFree.KERNEL32(?), ref: 00419248
                      • DeleteDC.GDI32(?), ref: 00419258
                      • DeleteDC.GDI32(00000000), ref: 00419263
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                      • String ID: DISPLAY
                      • API String ID: 4256916514-865373369
                      • Opcode ID: f392394fe482629c540e7e64cf6a4c742858ec4acf93355850be4a976d5cc3ae
                      • Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
                      • Opcode Fuzzy Hash: f392394fe482629c540e7e64cf6a4c742858ec4acf93355850be4a976d5cc3ae
                      • Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040D420 Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 282registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                        • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579
                        • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                        • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                        • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                        • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
                      • ExitProcess.KERNEL32 ref: 0040D7D0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                      • String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hdF$hpF$open$wend$while fso.FileExists("
                      • API String ID: 1861856835-2780701618
                      • Opcode ID: fee8ff9718fb40c9beafe4bb2eefbd291afa4f5ad22c135011e1b35f2f9dc20b
                      • Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
                      • Opcode Fuzzy Hash: fee8ff9718fb40c9beafe4bb2eefbd291afa4f5ad22c135011e1b35f2f9dc20b
                      • Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
                      • GetProcAddress.KERNEL32(00000000), ref: 00418139
                      • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
                      • GetProcAddress.KERNEL32(00000000), ref: 0041814D
                      • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
                      • GetProcAddress.KERNEL32(00000000), ref: 00418161
                      • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
                      • GetProcAddress.KERNEL32(00000000), ref: 00418175
                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
                      • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
                      • GetThreadContext.KERNEL32(?,00000000), ref: 00418245
                      • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
                      • TerminateProcess.KERNEL32(?,00000000), ref: 00418301
                      • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
                      • SetThreadContext.KERNEL32(?,00000000), ref: 00418428
                      • ResumeThread.KERNEL32(?), ref: 00418435
                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
                      • GetCurrentProcess.KERNEL32(?), ref: 00418457
                      • TerminateProcess.KERNEL32(?,00000000), ref: 00418472
                      • GetLastError.KERNEL32 ref: 0041847A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                      • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                      • API String ID: 4188446516-3035715614
                      • Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                      • Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
                      • Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
                      • Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040D096 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                        • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7
                        • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                        • Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                        • Part of subcall function 0040B8AC: TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                        • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,76F93530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
                      • ExitProcess.KERNEL32 ref: 0040D419
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                      • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hdF$hpF$open$pth_unenc$wend$while fso.FileExists("
                      • API String ID: 3797177996-2616068718
                      • Opcode ID: 4b4a4e1b4e3b5756a36c8647b5f37cacc16024b06e010f5374005e12c290012d
                      • Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
                      • Opcode Fuzzy Hash: 4b4a4e1b4e3b5756a36c8647b5f37cacc16024b06e010f5374005e12c290012d
                      • Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
                      • ExitProcess.KERNEL32(00000000), ref: 004124A0
                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
                      • CloseHandle.KERNEL32(00000000), ref: 0041253B
                      • GetCurrentProcessId.KERNEL32 ref: 00412541
                      • PathFileExistsW.SHLWAPI(?), ref: 00412572
                      • GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
                      • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
                      • lstrcatW.KERNEL32(?,.exe), ref: 00412601
                        • Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                      • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
                      • Sleep.KERNEL32(000001F4), ref: 00412682
                      • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
                      • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
                      • CloseHandle.KERNEL32(00000000), ref: 004126A9
                      • GetCurrentProcessId.KERNEL32 ref: 004126AF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                      • String ID: .exe$8SG$WDH$exepath$open$temp_
                      • API String ID: 2649220323-436679193
                      • Opcode ID: 4f95786cf2f2c00e5bb866ed93791c3a94b5cceb6ba25eb1f7637f0f1d303f44
                      • Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
                      • Opcode Fuzzy Hash: 4f95786cf2f2c00e5bb866ed93791c3a94b5cceb6ba25eb1f7637f0f1d303f44
                      • Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
                      • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B18E
                      • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
                      • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
                      • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
                      • SetEvent.KERNEL32 ref: 0041B219
                      • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
                      • CloseHandle.KERNEL32 ref: 0041B23A
                      • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
                      • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                      • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                      • API String ID: 738084811-2094122233
                      • Opcode ID: ba800d4004146261746f0cd5f3fc473224d9ed50ddfc1a75890d8c2e6864336c
                      • Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
                      • Opcode Fuzzy Hash: ba800d4004146261746f0cd5f3fc473224d9ed50ddfc1a75890d8c2e6864336c
                      • Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                      • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                      • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                      • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                      • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                      • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                      • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                      • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                      • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                      • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$Write$Create
                      • String ID: RIFF$WAVE$data$fmt
                      • API String ID: 1602526932-4212202414
                      • Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                      • Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
                      • Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
                      • Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe,00000001,0040764D,C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
                      • GetProcAddress.KERNEL32(00000000), ref: 0040728D
                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
                      • GetProcAddress.KERNEL32(00000000), ref: 004072A5
                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
                      • GetProcAddress.KERNEL32(00000000), ref: 004072B9
                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
                      • GetProcAddress.KERNEL32(00000000), ref: 004072CD
                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
                      • GetProcAddress.KERNEL32(00000000), ref: 004072E1
                      • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
                      • GetProcAddress.KERNEL32(00000000), ref: 004072F5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                      • API String ID: 1646373207-590258447
                      • Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                      • Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
                      • Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
                      • Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040CDF9 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 203fileCOMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 0040CE07
                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
                      • CopyFileW.KERNEL32(C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CED0
                      • _wcslen.LIBCMT ref: 0040CEE6
                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
                      • CopyFileW.KERNEL32(C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe,00000000,00000000), ref: 0040CF84
                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
                      • _wcslen.LIBCMT ref: 0040CFC6
                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004750E4,0000000E), ref: 0040D02D
                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
                      • ExitProcess.KERNEL32 ref: 0040D062
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                      • String ID: 6$C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe$del$hdF$open
                      • API String ID: 1579085052-1707688213
                      • Opcode ID: 4f87b9d86e0d177ce47a61f674f44f3f48b1c9db7a96dc1323a3ea9f6ed17011
                      • Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
                      • Opcode Fuzzy Hash: 4f87b9d86e0d177ce47a61f674f44f3f48b1c9db7a96dc1323a3ea9f6ed17011
                      • Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?), ref: 0041C036
                      • _memcmp.LIBVCRUNTIME ref: 0041C04E
                      • lstrlenW.KERNEL32(?), ref: 0041C067
                      • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C0A2
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
                      • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
                      • lstrcmpW.KERNEL32(?,?), ref: 0041C114
                      • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
                      • _wcslen.LIBCMT ref: 0041C13B
                      • FindVolumeClose.KERNEL32(?), ref: 0041C15B
                      • GetLastError.KERNEL32 ref: 0041C173
                      • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
                      • lstrcatW.KERNEL32(?,?), ref: 0041C1B9
                      • lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
                      • GetLastError.KERNEL32 ref: 0041C1D0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                      • String ID: ?
                      • API String ID: 3941738427-1684325040
                      • Opcode ID: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                      • Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
                      • Opcode Fuzzy Hash: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
                      • Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0044F42D Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$EnvironmentVariable$_wcschr
                      • String ID:
                      • API String ID: 3899193279-0
                      • Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                      • Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
                      • Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
                      • Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD
                        • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,76F93530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                        • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                        • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                      • Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
                      • Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
                      • Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
                      • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
                      • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
                      • DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
                      • Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
                      • Sleep.KERNEL32(00000064), ref: 00412E94
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                      • String ID: /stext "$0TG$0TG$NG$NG
                      • API String ID: 1223786279-2576077980
                      • Opcode ID: d4cc380055e882502a24ce1f2ef47ec40ca3eb7e2e8ee682e121ef06dd2aa685
                      • Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
                      • Opcode Fuzzy Hash: d4cc380055e882502a24ce1f2ef47ec40ca3eb7e2e8ee682e121ef06dd2aa685
                      • Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00408B7A Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 328fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408CE3
                      • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
                      • __aulldiv.LIBCMT ref: 00408D4D
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                      • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
                      • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
                      • CloseHandle.KERNEL32(00000000), ref: 00408F64
                      • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FAE
                      • CloseHandle.KERNEL32(00000000), ref: 00408FFC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                      • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $hdF$NG
                      • API String ID: 3086580692-1206044436
                      • Opcode ID: d1b9c816e5d1263f909c3fff94fbbac36937d18fe3b7cd58c2ed58fe6728196b
                      • Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
                      • Opcode Fuzzy Hash: d1b9c816e5d1263f909c3fff94fbbac36937d18fe3b7cd58c2ed58fe6728196b
                      • Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                      Download Yara Rule
                      APIs
                      • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
                      • GetCursorPos.USER32(?), ref: 0041D5E9
                      • SetForegroundWindow.USER32(?), ref: 0041D5F2
                      • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
                      • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
                      • ExitProcess.KERNEL32 ref: 0041D665
                      • CreatePopupMenu.USER32 ref: 0041D66B
                      • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                      • String ID: Close
                      • API String ID: 1657328048-3535843008
                      • Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                      • Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
                      • Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
                      • Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$Info
                      • String ID:
                      • API String ID: 2509303402-0
                      • Opcode ID: 9a1e8def710a50f9e802e5816f878b52a4fdf116ee4a506070fe770fe0ef34d2
                      • Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
                      • Opcode Fuzzy Hash: 9a1e8def710a50f9e802e5816f878b52a4fdf116ee4a506070fe770fe0ef34d2
                      • Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040D7FF Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 148COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                        • Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                        • Part of subcall function 004136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                        • Part of subcall function 004136F8: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                        • Part of subcall function 004136F8: RegCloseKey.KERNEL32(00000000), ref: 00413738
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
                      • ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
                      • ExitProcess.KERNEL32 ref: 0040D9C4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                      • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$hdF$open
                      • API String ID: 1913171305-51354631
                      • Opcode ID: 920a0537c73373d1fa928f529e957bf362437fc51c5983c7c145f5f31e510bcc
                      • Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
                      • Opcode Fuzzy Hash: 920a0537c73373d1fa928f529e957bf362437fc51c5983c7c145f5f31e510bcc
                      • Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00414D86 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                      • LoadLibraryA.KERNEL32(?), ref: 00414E17
                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                      • FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                      • LoadLibraryA.KERNEL32(?), ref: 00414E76
                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                      • FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                      • GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                      • FreeLibrary.KERNEL32(00000000), ref: 00414EB5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Library$AddressFreeProc$Load$DirectorySystem
                      • String ID: \ws2_32$\wship6$getaddrinfo
                      • API String ID: 2490988753-3078833738
                      • Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                      • Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
                      • Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
                      • Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___free_lconv_mon.LIBCMT ref: 0045130A
                        • Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
                        • Part of subcall function 00450502: _free.LIBCMT ref: 00450531
                        • Part of subcall function 00450502: _free.LIBCMT ref: 00450543
                        • Part of subcall function 00450502: _free.LIBCMT ref: 00450555
                        • Part of subcall function 00450502: _free.LIBCMT ref: 00450567
                        • Part of subcall function 00450502: _free.LIBCMT ref: 00450579
                        • Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
                        • Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
                        • Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
                        • Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
                        • Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
                        • Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
                        • Part of subcall function 00450502: _free.LIBCMT ref: 004505F7
                      • _free.LIBCMT ref: 004512FF
                        • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                      • _free.LIBCMT ref: 00451321
                      • _free.LIBCMT ref: 00451336
                      • _free.LIBCMT ref: 00451341
                      • _free.LIBCMT ref: 00451363
                      • _free.LIBCMT ref: 00451376
                      • _free.LIBCMT ref: 00451384
                      • _free.LIBCMT ref: 0045138F
                      • _free.LIBCMT ref: 004513C7
                      • _free.LIBCMT ref: 004513CE
                      • _free.LIBCMT ref: 004513EB
                      • _free.LIBCMT ref: 00451403
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                      • String ID:
                      • API String ID: 161543041-0
                      • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                      • Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
                      • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                      • Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog.LIBCMT ref: 00419FB9
                      • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
                      • Sleep.KERNEL32(000003E8), ref: 0041A0FD
                      • GetLocalTime.KERNEL32(?), ref: 0041A105
                      • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                      • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
                      • API String ID: 489098229-1431523004
                      • Opcode ID: 74d135751b3a5a5dd2f0b0327ce2346d099fb9b4d0bdba82b7b527c99728bf6f
                      • Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
                      • Opcode Fuzzy Hash: 74d135751b3a5a5dd2f0b0327ce2346d099fb9b4d0bdba82b7b527c99728bf6f
                      • Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID:
                      • API String ID: 269201875-0
                      • Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                      • Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
                      • Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
                      • Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                      • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                      • closesocket.WS2_32(000000FF), ref: 00404E5A
                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                      • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                      • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                      • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                      • String ID:
                      • API String ID: 3658366068-0
                      • Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                      • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                      • Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                      • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000,?,00455C84,00000000,0000000C), ref: 004558C6
                      • GetLastError.KERNEL32 ref: 00455CEF
                      • __dosmaperr.LIBCMT ref: 00455CF6
                      • GetFileType.KERNEL32(00000000), ref: 00455D02
                      • GetLastError.KERNEL32 ref: 00455D0C
                      • __dosmaperr.LIBCMT ref: 00455D15
                      • CloseHandle.KERNEL32(00000000), ref: 00455D35
                      • CloseHandle.KERNEL32(?), ref: 00455E7F
                      • GetLastError.KERNEL32 ref: 00455EB1
                      • __dosmaperr.LIBCMT ref: 00455EB8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                      • String ID: H
                      • API String ID: 4237864984-2852464175
                      • Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                      • Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
                      • Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
                      • Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                      Download Yara Rule
                      APIs
                      • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
                      • __alloca_probe_16.LIBCMT ref: 00453EEA
                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
                      • __alloca_probe_16.LIBCMT ref: 00453F94
                      • MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C
                        • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                      • MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
                      • __freea.LIBCMT ref: 00454003
                      • __freea.LIBCMT ref: 0045400F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                      • String ID: \@E
                      • API String ID: 201697637-1814623452
                      • Opcode ID: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
                      • Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
                      • Opcode Fuzzy Hash: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
                      • Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID: \&G$\&G$`&G
                      • API String ID: 269201875-253610517
                      • Opcode ID: 97c3add27e511c4221db80506819b16e682529302af84ee57927f6cd57728be0
                      • Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
                      • Opcode Fuzzy Hash: 97c3add27e511c4221db80506819b16e682529302af84ee57927f6cd57728be0
                      • Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 65535$udp
                      • API String ID: 0-1267037602
                      • Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                      • Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
                      • Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
                      • Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00416940 Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON
                      Download Yara Rule
                      APIs
                      • OpenClipboard.USER32 ref: 00416941
                      • EmptyClipboard.USER32 ref: 0041694F
                      • CloseClipboard.USER32 ref: 00416955
                      • OpenClipboard.USER32 ref: 0041695C
                      • GetClipboardData.USER32(0000000D), ref: 0041696C
                      • GlobalLock.KERNEL32(00000000), ref: 00416975
                      • GlobalUnlock.KERNEL32(00000000), ref: 0041697E
                      • CloseClipboard.USER32 ref: 00416984
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                      • String ID: !D@$hdF
                      • API String ID: 2172192267-3475379602
                      • Opcode ID: adf24e29fa33e79d94acba38681993613f0e6ff1af3d37b384c40682ee759fe9
                      • Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
                      • Opcode Fuzzy Hash: adf24e29fa33e79d94acba38681993613f0e6ff1af3d37b384c40682ee759fe9
                      • Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
                      • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
                      • __dosmaperr.LIBCMT ref: 0043A8A6
                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
                      • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
                      • __dosmaperr.LIBCMT ref: 0043A8E3
                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
                      • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
                      • __dosmaperr.LIBCMT ref: 0043A937
                      • _free.LIBCMT ref: 0043A943
                      • _free.LIBCMT ref: 0043A94A
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                      • String ID:
                      • API String ID: 2441525078-0
                      • Opcode ID: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
                      • Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
                      • Opcode Fuzzy Hash: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
                      • Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • SetEvent.KERNEL32(?,?), ref: 004054BF
                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                      • TranslateMessage.USER32(?), ref: 0040557E
                      • DispatchMessageA.USER32(?), ref: 00405589
                      • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                      • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                      • String ID: CloseChat$DisplayMessage$GetMessage
                      • API String ID: 2956720200-749203953
                      • Opcode ID: 8e38f0021ab5ceb6a51bb45f2befafcb8aa6c96e5f4ff49c8141e1b37ff8813b
                      • Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
                      • Opcode Fuzzy Hash: 8e38f0021ab5ceb6a51bb45f2befafcb8aa6c96e5f4ff49c8141e1b37ff8813b
                      • Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31
                      • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
                      • CloseHandle.KERNEL32(00000000), ref: 00417DE5
                      • DeleteFileA.KERNEL32(00000000), ref: 00417DF4
                      • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                      • String ID: 0VG$0VG$<$@$Temp
                      • API String ID: 1704390241-2575729100
                      • Opcode ID: ab609bc6c18503029a2e12cded3731472e376082a123972419a45b72cc3541d7
                      • Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
                      • Opcode Fuzzy Hash: ab609bc6c18503029a2e12cded3731472e376082a123972419a45b72cc3541d7
                      • Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00410E61 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                      Download Yara Rule
                      APIs
                      • std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
                      • int.LIBCPMT ref: 00410E81
                        • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                        • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                      • std::_Facet_Register.LIBCPMT ref: 00410EC1
                      • std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
                      • __Init_thread_footer.LIBCMT ref: 00410F29
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                      • String ID: ,kG$0kG$@!G
                      • API String ID: 3815856325-312998898
                      • Opcode ID: 104655b219d7360bbd62e7af1339e96782af3c0a0346709f02f53ac4a63324da
                      • Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
                      • Opcode Fuzzy Hash: 104655b219d7360bbd62e7af1339e96782af3c0a0346709f02f53ac4a63324da
                      • Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
                      • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Service$CloseHandle$Open$ControlManager
                      • String ID:
                      • API String ID: 221034970-0
                      • Opcode ID: 7b2cf5faf853fa98289cc991659be0cbca7e258cea3468f32c8f6232fd3e676c
                      • Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
                      • Opcode Fuzzy Hash: 7b2cf5faf853fa98289cc991659be0cbca7e258cea3468f32c8f6232fd3e676c
                      • Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00448135
                        • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                      • _free.LIBCMT ref: 00448141
                      • _free.LIBCMT ref: 0044814C
                      • _free.LIBCMT ref: 00448157
                      • _free.LIBCMT ref: 00448162
                      • _free.LIBCMT ref: 0044816D
                      • _free.LIBCMT ref: 00448178
                      • _free.LIBCMT ref: 00448183
                      • _free.LIBCMT ref: 0044818E
                      • _free.LIBCMT ref: 0044819C
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                      • Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
                      • Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
                      • Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041C68F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
                      • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C6F5
                      • RegCloseKey.ADVAPI32(?), ref: 0041C9BF
                      Strings
                      • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C6A7
                      • DisplayName, xrefs: 0041C73C
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseEnumOpen
                      • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                      • API String ID: 1332880857-3614651759
                      • Opcode ID: 1a8a8a53396f0a73c7c7ebd617f4a58ea8be179d7647117c14ca7f9aabbf758a
                      • Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
                      • Opcode Fuzzy Hash: 1a8a8a53396f0a73c7c7ebd617f4a58ea8be179d7647117c14ca7f9aabbf758a
                      • Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Eventinet_ntoa
                      • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                      • API String ID: 3578746661-3604713145
                      • Opcode ID: ee6868ce337c5f392bc8238457814b369445afbf060dc0d42694c7a9a779d5d9
                      • Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
                      • Opcode Fuzzy Hash: ee6868ce337c5f392bc8238457814b369445afbf060dc0d42694c7a9a779d5d9
                      • Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                      Download Yara Rule
                      APIs
                      • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5
                        • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                      • Sleep.KERNEL32(00000064), ref: 00417521
                      • DeleteFileW.KERNEL32(00000000), ref: 00417555
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CreateDeleteExecuteShellSleep
                      • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                      • API String ID: 1462127192-2001430897
                      • Opcode ID: c9329c812ace22898f1d6572bd75a26903cd800588fbd916b534c5d200127bc1
                      • Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
                      • Opcode Fuzzy Hash: c9329c812ace22898f1d6572bd75a26903cd800588fbd916b534c5d200127bc1
                      • Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
                      • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe), ref: 0040749E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CurrentProcess
                      • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                      • API String ID: 2050909247-4242073005
                      • Opcode ID: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
                      • Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
                      • Opcode Fuzzy Hash: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
                      • Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                      Download Yara Rule
                      APIs
                      • _strftime.LIBCMT ref: 00401D50
                        • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                      • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                      • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                      • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                      • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                      • API String ID: 3809562944-243156785
                      • Opcode ID: ea46db1a35f2c9a2b045b3db18ee993060b77fd334bfa98162aa65f0038d2e9b
                      • Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
                      • Opcode Fuzzy Hash: ea46db1a35f2c9a2b045b3db18ee993060b77fd334bfa98162aa65f0038d2e9b
                      • Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                      Download Yara Rule
                      APIs
                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                      • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                      • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                      • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                      • waveInStart.WINMM ref: 00401CFE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                      • String ID: dMG$|MG$PG
                      • API String ID: 1356121797-532278878
                      • Opcode ID: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
                      • Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
                      • Opcode Fuzzy Hash: 4847331a3159101abd2f471b23cb9d67ee169c85da226fed21ec568aa636ce6b
                      • Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476
                        • Part of subcall function 0041D50F: RegisterClassExA.USER32(00000030), ref: 0041D55B
                        • Part of subcall function 0041D50F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                        • Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580
                      • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
                      • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
                      • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
                      • TranslateMessage.USER32(?), ref: 0041D4E9
                      • DispatchMessageA.USER32(?), ref: 0041D4F3
                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D500
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                      • String ID: Remcos
                      • API String ID: 1970332568-165870891
                      • Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                      • Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
                      • Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
                      • Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
                      • Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
                      • Opcode Fuzzy Hash: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
                      • Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                      • _memcmp.LIBVCRUNTIME ref: 00445423
                      • _free.LIBCMT ref: 00445494
                      • _free.LIBCMT ref: 004454AD
                      • _free.LIBCMT ref: 004454DF
                      • _free.LIBCMT ref: 004454E8
                      • _free.LIBCMT ref: 004454F4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorLast$_abort_memcmp
                      • String ID: C
                      • API String ID: 1679612858-1037565863
                      • Opcode ID: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
                      • Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
                      • Opcode Fuzzy Hash: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
                      • Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: tcp$udp
                      • API String ID: 0-3725065008
                      • Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                      • Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
                      • Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
                      • Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                      Download Yara Rule
                      APIs
                      • __Init_thread_footer.LIBCMT ref: 004018BE
                      • ExitThread.KERNEL32 ref: 004018F6
                      • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                        • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                      • String ID: PkG$XMG$NG$NG
                      • API String ID: 1649129571-3151166067
                      • Opcode ID: 1addd4459206ccda1a90af457825a19d31b8f08cba5be0a07ed153391840909d
                      • Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
                      • Opcode Fuzzy Hash: 1addd4459206ccda1a90af457825a19d31b8f08cba5be0a07ed153391840909d
                      • Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00413D0D Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D46
                        • Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                        • Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      • RegCloseKey.ADVAPI32(00000000,004660A4,004660A4,00466468,00466468,00000071), ref: 00413EB4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseEnumInfoOpenQuerysend
                      • String ID: hdF$xUG$NG$NG$TG
                      • API String ID: 3114080316-2774981958
                      • Opcode ID: e321fd601a5a508ced69f1c765b97aa59f957093b10026012af0bc573d284bcb
                      • Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
                      • Opcode Fuzzy Hash: e321fd601a5a508ced69f1c765b97aa59f957093b10026012af0bc573d284bcb
                      • Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FA4,?,00000000,00407FFC,00000000), ref: 004079C5
                      • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A0D
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      • CloseHandle.KERNEL32(00000000,?,00000000,00407FFC,00000000,?,?,0000000A,00000000), ref: 00407A4D
                      • MoveFileW.KERNEL32(00000000,00000000), ref: 00407A6A
                      • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407A95
                      • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5
                        • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                        • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                      • String ID: .part
                      • API String ID: 1303771098-3499674018
                      • Opcode ID: 4857a6ed22049fc29bba1b292068738278ee234636b3138c3eb0938843477c37
                      • Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
                      • Opcode Fuzzy Hash: 4857a6ed22049fc29bba1b292068738278ee234636b3138c3eb0938843477c37
                      • Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041CD9B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                      Download Yara Rule
                      APIs
                      • AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                      • GetConsoleWindow.KERNEL32 ref: 0041CDAA
                      • ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                      • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Console$Window$AllocOutputShow
                      • String ID: Remcos v$4.9.4 Pro$CONOUT$
                      • API String ID: 4067487056-3065609815
                      • Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                      • Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
                      • Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
                      • Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0044AC49 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044ACA3
                      • __alloca_probe_16.LIBCMT ref: 0044ACDB
                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044AD29
                      • __alloca_probe_16.LIBCMT ref: 0044ADC0
                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
                      • __freea.LIBCMT ref: 0044AE30
                        • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                      • __freea.LIBCMT ref: 0044AE39
                      • __freea.LIBCMT ref: 0044AE5E
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                      • String ID:
                      • API String ID: 3864826663-0
                      • Opcode ID: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
                      • Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
                      • Opcode Fuzzy Hash: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
                      • Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004199CC
                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004199ED
                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A0D
                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A21
                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00419A37
                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A54
                      • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00419A6F
                      • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00419A8B
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: InputSend
                      • String ID:
                      • API String ID: 3431551938-0
                      • Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                      • Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
                      • Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
                      • Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: __freea$__alloca_probe_16_free
                      • String ID: a/p$am/pm$zD
                      • API String ID: 2936374016-2723203690
                      • Opcode ID: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
                      • Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
                      • Opcode Fuzzy Hash: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
                      • Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413AEB
                      • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413B8B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Enum$InfoQueryValue
                      • String ID: [regsplt]$xUG$TG
                      • API String ID: 3554306468-1165877943
                      • Opcode ID: 33c7f91080d72b7d6eae4ad8ea9185415ff74703dc449a1b63b856fadc20d013
                      • Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
                      • Opcode Fuzzy Hash: 33c7f91080d72b7d6eae4ad8ea9185415ff74703dc449a1b63b856fadc20d013
                      • Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BB31,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B3FE
                      • __fassign.LIBCMT ref: 0044B479
                      • __fassign.LIBCMT ref: 0044B494
                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
                      • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B4D9
                      • WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000,?,?,?,?,?,?,?,?,?,0044BB31,?), ref: 0044B512
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                      • String ID:
                      • API String ID: 1324828854-0
                      • Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                      • Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
                      • Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
                      • Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID: D[E$D[E
                      • API String ID: 269201875-3695742444
                      • Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                      • Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
                      • Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
                      • Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,004750E4), ref: 0041363D
                        • Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
                        • Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665
                        • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                        • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                      • _wcslen.LIBCMT ref: 0041B763
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                      • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
                      • API String ID: 3286818993-122982132
                      • Opcode ID: 9e766dfad90d1072eeebd329423a54b06a7feef5cd64e583281de775404f8260
                      • Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
                      • Opcode Fuzzy Hash: 9e766dfad90d1072eeebd329423a54b06a7feef5cd64e583281de775404f8260
                      • Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
                        • Part of subcall function 004135A6: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 004135E7
                        • Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2
                      • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
                      • PathFileExistsA.SHLWAPI(?), ref: 0040BF78
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                      • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                      • API String ID: 1133728706-4073444585
                      • Opcode ID: 68a42e42b8838ca6718af06bcf6c8b1fb058983d8eb4a6e4fef459ca4e905c38
                      • Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
                      • Opcode Fuzzy Hash: 68a42e42b8838ca6718af06bcf6c8b1fb058983d8eb4a6e4fef459ca4e905c38
                      • Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
                      • Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
                      • Opcode Fuzzy Hash: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
                      • Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A
                      • _free.LIBCMT ref: 00450F48
                        • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                      • _free.LIBCMT ref: 00450F53
                      • _free.LIBCMT ref: 00450F5E
                      • _free.LIBCMT ref: 00450FB2
                      • _free.LIBCMT ref: 00450FBD
                      • _free.LIBCMT ref: 00450FC8
                      • _free.LIBCMT ref: 00450FD3
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                      • Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
                      • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                      • Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      • std::_Lockit::_Lockit.LIBCPMT ref: 00411170
                      • int.LIBCPMT ref: 00411183
                        • Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
                        • Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC
                      • std::_Facet_Register.LIBCPMT ref: 004111C3
                      • std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 004111EA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                      • String ID: (mG
                      • API String ID: 2536120697-4059303827
                      • Opcode ID: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                      • Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
                      • Opcode Fuzzy Hash: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
                      • Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
                      • SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLastValue___vcrt_
                      • String ID:
                      • API String ID: 3852720340-0
                      • Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                      • Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
                      • Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
                      • Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                      Download Yara Rule
                      APIs
                      • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe), ref: 004075D0
                        • Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
                        • Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582
                      • CoUninitialize.OLE32 ref: 00407629
                      Strings
                      • C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, xrefs: 004075B0, 004075B3, 00407605
                      • [+] before ShellExec, xrefs: 004075F1
                      • [+] ucmCMLuaUtilShellExecMethod, xrefs: 004075B5
                      • [+] ShellExec success, xrefs: 0040760E
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: InitializeObjectUninitialize_wcslen
                      • String ID: C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                      • API String ID: 3851391207-1713507577
                      • Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                      • Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
                      • Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
                      • Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
                      • GetLastError.KERNEL32 ref: 0040BAE7
                      Strings
                      • [Chrome Cookies found, cleared!], xrefs: 0040BB0D
                      • UserProfile, xrefs: 0040BAAD
                      • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8
                      • [Chrome Cookies not found], xrefs: 0040BB01
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: DeleteErrorFileLast
                      • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      • API String ID: 2018770650-304995407
                      • Opcode ID: c69a48e60de484867d8b749c5ae4c270b90bc560c43d961a50d917c7878b2bfc
                      • Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
                      • Opcode Fuzzy Hash: c69a48e60de484867d8b749c5ae4c270b90bc560c43d961a50d917c7878b2bfc
                      • Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00407260 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                      Download Yara Rule
                      Strings
                      • C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe, xrefs: 004076C4
                      • SG, xrefs: 004076DA
                      • hdF, xrefs: 004076A9
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: SG$C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe$hdF
                      • API String ID: 0-1576443231
                      • Opcode ID: a134d68e00a23aec850ce34bab2ba566fca7fbefa287618f70ce8b1be92ee060
                      • Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
                      • Opcode Fuzzy Hash: a134d68e00a23aec850ce34bab2ba566fca7fbefa287618f70ce8b1be92ee060
                      • Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00444048 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00444066
                        • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                      • _free.LIBCMT ref: 00444078
                      • _free.LIBCMT ref: 0044408B
                      • _free.LIBCMT ref: 0044409C
                      • _free.LIBCMT ref: 004440AD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID: @PL
                      • API String ID: 776569668-1242170429
                      • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                      • Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
                      • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                      • Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                      Download Yara Rule
                      APIs
                      • __allrem.LIBCMT ref: 0043AC69
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
                      • __allrem.LIBCMT ref: 0043AC9C
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
                      • __allrem.LIBCMT ref: 0043ACD1
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                      • String ID:
                      • API String ID: 1992179935-0
                      • Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                      • Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
                      • Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
                      • Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32(00000000,0040D262), ref: 004044C4
                        • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: H_prologSleep
                      • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                      • API String ID: 3469354165-3054508432
                      • Opcode ID: 91431f8b5db115c882df2f0e13a11dad090b1a6d8894046dc22c07ac9576aff7
                      • Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
                      • Opcode Fuzzy Hash: 91431f8b5db115c882df2f0e13a11dad090b1a6d8894046dc22c07ac9576aff7
                      • Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00411CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2
                      • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
                      • GetNativeSystemInfo.KERNEL32(?,0040D2A2,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411DA5
                      • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411DC9
                        • Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3
                      • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E10
                      • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E17
                      • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F2A
                        • Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
                        • Part of subcall function 00412077: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 004120EE
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                      • String ID:
                      • API String ID: 3950776272-0
                      • Opcode ID: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                      • Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
                      • Opcode Fuzzy Hash: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
                      • Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: __cftoe
                      • String ID:
                      • API String ID: 4189289331-0
                      • Opcode ID: eef5811f0b3e11eaf1bdde4175ac7a9ebfa2f3cd5d18ba66a6432d1456243127
                      • Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
                      • Opcode Fuzzy Hash: eef5811f0b3e11eaf1bdde4175ac7a9ebfa2f3cd5d18ba66a6432d1456243127
                      • Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
                      • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
                      • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Service$CloseHandle$Open$ChangeConfigManager
                      • String ID:
                      • API String ID: 493672254-0
                      • Opcode ID: 6d957316612e9e1639687d6e998d7ab77ff57d14ab12c87d2f09a2430009e9f1
                      • Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
                      • Opcode Fuzzy Hash: 6d957316612e9e1639687d6e998d7ab77ff57d14ab12c87d2f09a2430009e9f1
                      • Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                      • _free.LIBCMT ref: 0044824C
                      • _free.LIBCMT ref: 00448274
                      • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
                      • SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                      • _abort.LIBCMT ref: 00448293
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$_free$_abort
                      • String ID:
                      • API String ID: 3160817290-0
                      • Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                      • Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
                      • Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
                      • Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
                      • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Service$CloseHandle$Open$ControlManager
                      • String ID:
                      • API String ID: 221034970-0
                      • Opcode ID: 311859fee7c9cfc71de310ff83382dc2b6c95d747b6933e344276464a171e98f
                      • Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
                      • Opcode Fuzzy Hash: 311859fee7c9cfc71de310ff83382dc2b6c95d747b6933e344276464a171e98f
                      • Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
                      • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Service$CloseHandle$Open$ControlManager
                      • String ID:
                      • API String ID: 221034970-0
                      • Opcode ID: 1b37a1e7eac98f1240c34f126e6a4f870ba627e83eac9c5dd9270139d563d70d
                      • Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
                      • Opcode Fuzzy Hash: 1b37a1e7eac98f1240c34f126e6a4f870ba627e83eac9c5dd9270139d563d70d
                      • Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                      Download Yara Rule
                      APIs
                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
                      • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Service$CloseHandle$Open$ControlManager
                      • String ID:
                      • API String ID: 221034970-0
                      • Opcode ID: f9e3a9574bebdc31c431017d68fe9d332939c115f8ba389fbd910f6d712af4f5
                      • Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
                      • Opcode Fuzzy Hash: f9e3a9574bebdc31c431017d68fe9d332939c115f8ba389fbd910f6d712af4f5
                      • Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00443435 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe,00000104), ref: 00443475
                      • _free.LIBCMT ref: 00443540
                      • _free.LIBCMT ref: 0044354A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$FileModuleName
                      • String ID: 'K$C:\Users\user\Desktop\1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33c8d8678.dat-decoded.exe
                      • API String ID: 2506810119-1239414864
                      • Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                      • Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
                      • Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
                      • Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                      • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                      • CloseHandle.KERNEL32(00000000,?,?,?,0040A74D), ref: 0040A6EE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CloseCreateHandleSizeSleep
                      • String ID: XQG
                      • API String ID: 1958988193-3606453820
                      • Opcode ID: c123891714ba34b2fc86ee474269cf7d4a952ef3128b037d3b88976122030326
                      • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                      • Opcode Fuzzy Hash: c123891714ba34b2fc86ee474269cf7d4a952ef3128b037d3b88976122030326
                      • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegisterClassExA.USER32(00000030), ref: 0041D55B
                      • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D576
                      • GetLastError.KERNEL32 ref: 0041D580
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ClassCreateErrorLastRegisterWindow
                      • String ID: 0$MsgWindowClass
                      • API String ID: 2877667751-2410386613
                      • Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                      • Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
                      • Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
                      • Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
                      • CloseHandle.KERNEL32(?), ref: 004077AA
                      • CloseHandle.KERNEL32(?), ref: 004077AF
                      Strings
                      • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791
                      • C:\Windows\System32\cmd.exe, xrefs: 00407796
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseHandle$CreateProcess
                      • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                      • API String ID: 2922976086-4183131282
                      • Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                      • Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
                      • Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
                      • Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 0044335A
                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044336D
                      • FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 00443390
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressFreeHandleLibraryModuleProc
                      • String ID: CorExitProcess$mscoree.dll
                      • API String ID: 4061214504-1276376045
                      • Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                      • Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
                      • Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
                      • Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                      • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                      • String ID: KeepAlive | Disabled
                      • API String ID: 2993684571-305739064
                      • Opcode ID: 17bfdc88350a56738500cb661d506395563dca3eea58109498aa24bd4a02de42
                      • Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
                      • Opcode Fuzzy Hash: 17bfdc88350a56738500cb661d506395563dca3eea58109498aa24bd4a02de42
                      • Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                      • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
                      • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
                      • Sleep.KERNEL32(00002710), ref: 0041AE07
                      • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: PlaySound$HandleLocalModuleSleepTime
                      • String ID: Alarm triggered
                      • API String ID: 614609389-2816303416
                      • Opcode ID: 8320d0a8477b2dfdf5ffede3a6159dd71cddf314a322f93aa69cf56e5021b822
                      • Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
                      • Opcode Fuzzy Hash: 8320d0a8477b2dfdf5ffede3a6159dd71cddf314a322f93aa69cf56e5021b822
                      • Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
                      • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD6F
                      • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CDED), ref: 0041CD7C
                      • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CDED), ref: 0041CD8F
                      Strings
                      • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Console$AttributeText$BufferHandleInfoScreen
                      • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                      • API String ID: 3024135584-2418719853
                      • Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                      • Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
                      • Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
                      • Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                      • Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
                      • Opcode Fuzzy Hash: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
                      • Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                      • _free.LIBCMT ref: 00444E06
                      • _free.LIBCMT ref: 00444E1D
                      • _free.LIBCMT ref: 00444E3C
                      • _free.LIBCMT ref: 00444E57
                      • _free.LIBCMT ref: 00444E6E
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$AllocateHeap
                      • String ID:
                      • API String ID: 3033488037-0
                      • Opcode ID: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
                      • Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
                      • Opcode Fuzzy Hash: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
                      • Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
                      • _free.LIBCMT ref: 004493BD
                        • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                      • _free.LIBCMT ref: 00449589
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                      • String ID:
                      • API String ID: 1286116820-0
                      • Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                      • Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
                      • Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
                      • Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                        • Part of subcall function 0041BFB7: IsWow64Process.KERNEL32(00000000,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFCF
                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
                      • Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
                      • CloseHandle.KERNEL32(00000000), ref: 0040FB05
                        • Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA
                        • Part of subcall function 0041BFE5: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C005
                        • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                        • Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                      • String ID:
                      • API String ID: 2180151492-0
                      • Opcode ID: bc4163984acb67f3763b954a4e60ef5345a244623aad4191208eb1456dde199f
                      • Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
                      • Opcode Fuzzy Hash: bc4163984acb67f3763b954a4e60ef5345a244623aad4191208eb1456dde199f
                      • Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID:
                      • API String ID: 269201875-0
                      • Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                      • Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
                      • Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
                      • Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0045112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01), ref: 00451179
                      • __alloca_probe_16.LIBCMT ref: 004511B1
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?), ref: 00451202
                      • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?,00000002,00000000), ref: 00451214
                      • __freea.LIBCMT ref: 0045121D
                        • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                      • String ID:
                      • API String ID: 313313983-0
                      • Opcode ID: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
                      • Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
                      • Opcode Fuzzy Hash: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
                      • Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                      • GetEnvironmentStringsW.KERNEL32 ref: 0044F363
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386
                        • Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
                      • _free.LIBCMT ref: 0044F3BF
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                      • String ID:
                      • API String ID: 336800556-0
                      • Opcode ID: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
                      • Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
                      • Opcode Fuzzy Hash: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
                      • Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
                      • _free.LIBCMT ref: 004482D3
                      • _free.LIBCMT ref: 004482FA
                      • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
                      • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$_free
                      • String ID:
                      • API String ID: 3170660625-0
                      • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                      • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                      • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                      • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041C1DD Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                      Download Yara Rule
                      APIs
                      • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
                      • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
                      • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C228
                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C233
                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C23B
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$CloseHandleOpen$FileImageName
                      • String ID:
                      • API String ID: 2951400881-0
                      • Opcode ID: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                      • Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
                      • Opcode Fuzzy Hash: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
                      • Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 004509D4
                        • Part of subcall function 00446782: RtlFreeHeap.NTDLL(00000000,00000000,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?), ref: 00446798
                        • Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA
                      • _free.LIBCMT ref: 004509E6
                      • _free.LIBCMT ref: 004509F8
                      • _free.LIBCMT ref: 00450A0A
                      • _free.LIBCMT ref: 00450A1C
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                      • Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
                      • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                      • Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                      Download Yara Rule
                      APIs
                      • _strpbrk.LIBCMT ref: 0044E738
                      • _free.LIBCMT ref: 0044E855
                        • Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017,0043BCEB,00405103,?,00000000,00000000,004020A6,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000), ref: 0043BD1B
                        • Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD3D
                        • Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD44
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                      • String ID: *?$.
                      • API String ID: 2812119850-3972193922
                      • Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                      • Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
                      • Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
                      • Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3
                        • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                        • Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F5B,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C52A
                        • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateFileKeyboardLayoutNameconnectsend
                      • String ID: XQG$NG$PG
                      • API String ID: 1634807452-3565412412
                      • Opcode ID: 4cec28136c13d48ac75addf968b0ab26f6a6c0f8dbd7bd090c3d11ffdc04b463
                      • Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
                      • Opcode Fuzzy Hash: 4cec28136c13d48ac75addf968b0ab26f6a6c0f8dbd7bd090c3d11ffdc04b463
                      • Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                      Download Yara Rule
                      APIs
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                      • String ID: `#D$`#D
                      • API String ID: 885266447-2450397995
                      • Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                      • Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
                      • Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
                      • Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                        • Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,76F93530,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F
                        • Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E74), ref: 0041857E
                        • Part of subcall function 00418568: CloseHandle.KERNEL32(t^F,?,?,004040F5,00465E74), ref: 00418587
                        • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                      • Sleep.KERNEL32(000000FA,00465E74), ref: 00404138
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                      • String ID: /sort "Visit Time" /stext "$0NG
                      • API String ID: 368326130-3219657780
                      • Opcode ID: e953dad905f1e53c16e26200fa5e7422b49283e88f1e0b78f9913fef121ae1b5
                      • Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
                      • Opcode Fuzzy Hash: e953dad905f1e53c16e26200fa5e7422b49283e88f1e0b78f9913fef121ae1b5
                      • Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0044EF58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                        • Part of subcall function 0044F077: _abort.LIBCMT ref: 0044F0A9
                        • Part of subcall function 0044F077: _free.LIBCMT ref: 0044F0DD
                        • Part of subcall function 0044ECEC: GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                      • _free.LIBCMT ref: 0044EFD0
                      • _free.LIBCMT ref: 0044F006
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorLast_abort
                      • String ID: @PL$@PL
                      • API String ID: 2991157371-3539071742
                      • Opcode ID: 23ed7ce0d1312216544e861ed2cc667081b9de49bf4146cfd61311aa69b4ec7f
                      • Instruction ID: 3a29b68b49955ca98559fee15c42126097606514ccea0e67eec2104835090475
                      • Opcode Fuzzy Hash: 23ed7ce0d1312216544e861ed2cc667081b9de49bf4146cfd61311aa69b4ec7f
                      • Instruction Fuzzy Hash: FD31D531904104BFFB10EB6AD440B9EB7E4FF40329F2540AFE5149B2A1DB399D45CB48
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040B748 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                      • __Init_thread_footer.LIBCMT ref: 0040B797
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Init_thread_footer__onexit
                      • String ID: [End of clipboard]$[Text copied to clipboard]$hdF
                      • API String ID: 1881088180-1379921833
                      • Opcode ID: f72f7acb6e995bab9069cebdaf7e12266999cf1a5a480981143d2b12499a9b58
                      • Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
                      • Opcode Fuzzy Hash: f72f7acb6e995bab9069cebdaf7e12266999cf1a5a480981143d2b12499a9b58
                      • Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 004162F5
                        • Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                        • Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                        • Part of subcall function 00413877: RegCloseKey.KERNEL32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                        • Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: _wcslen$CloseCreateValue
                      • String ID: !D@$okmode$PG
                      • API String ID: 3411444782-3370592832
                      • Opcode ID: 0b5bfbcb24497edc23cadcade7b987103f73c59b25c5745cb5cc2b363945fd23
                      • Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
                      • Opcode Fuzzy Hash: 0b5bfbcb24497edc23cadcade7b987103f73c59b25c5745cb5cc2b363945fd23
                      • Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                      • PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
                      • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C688
                      Strings
                      • User Data\Profile ?\Network\Cookies, xrefs: 0040C635
                      • User Data\Default\Network\Cookies, xrefs: 0040C603
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExistsFilePath
                      • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                      • API String ID: 1174141254-1980882731
                      • Opcode ID: 3f7452b16761e1584c8e2d429d91126a521682e32829e5e9204bb30330905886
                      • Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
                      • Opcode Fuzzy Hash: 3f7452b16761e1584c8e2d429d91126a521682e32829e5e9204bb30330905886
                      • Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                      • PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
                      • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C757
                      Strings
                      • User Data\Profile ?\Network\Cookies, xrefs: 0040C704
                      • User Data\Default\Network\Cookies, xrefs: 0040C6D2
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExistsFilePath
                      • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                      • API String ID: 1174141254-1980882731
                      • Opcode ID: 6cf461605f9a2c7fe8b2ad0f04ad55fadbe866efa039c7f8a040f60605f6135f
                      • Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
                      • Opcode Fuzzy Hash: 6cf461605f9a2c7fe8b2ad0f04ad55fadbe866efa039c7f8a040f60605f6135f
                      • Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040B164 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                      • wsprintfW.USER32 ref: 0040B1F3
                        • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: EventLocalTimewsprintf
                      • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                      • API String ID: 1497725170-1359877963
                      • Opcode ID: 0fa510481dae123cd5fd75732960a6ac833555e1abee358401ce2a6dd28e6376
                      • Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
                      • Opcode Fuzzy Hash: 0fa510481dae123cd5fd75732960a6ac833555e1abee358401ce2a6dd28e6376
                      • Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                        • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                      • CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AF6E
                      • CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AF7A
                      • CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateThread$LocalTime$wsprintf
                      • String ID: Online Keylogger Started
                      • API String ID: 112202259-1258561607
                      • Opcode ID: 18c80faa916e37ff587b460602bbba5bb4c1a333ebe42aa4448383553abdc9cc
                      • Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
                      • Opcode Fuzzy Hash: 18c80faa916e37ff587b460602bbba5bb4c1a333ebe42aa4448383553abdc9cc
                      • Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0044BD6C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNEL32(00000000,00000000,0040F3BB,?,0044BC8A,0040F3BB,0046EBB0,0000000C), ref: 0044BDC2
                      • GetLastError.KERNEL32(?,0044BC8A,0040F3BB,0046EBB0,0000000C), ref: 0044BDCC
                      • __dosmaperr.LIBCMT ref: 0044BDF7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseErrorHandleLast__dosmaperr
                      • String ID: phM
                      • API String ID: 2583163307-251227584
                      • Opcode ID: c386fb262ac1df75f9233a8cbac1a47ba8a32ae4ab5a4414f4170ecae5b11561
                      • Instruction ID: 6d8ae8a68538518658f59cc4ec35c635b4eb055c917d93d15d596e37dde74a72
                      • Opcode Fuzzy Hash: c386fb262ac1df75f9233a8cbac1a47ba8a32ae4ab5a4414f4170ecae5b11561
                      • Instruction Fuzzy Hash: 59010832A0426066E62462399C4577F6749CB92739F2546AFFD14872D3DB6CCC8182D9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406A82
                      • GetProcAddress.KERNEL32(00000000), ref: 00406A89
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: CryptUnprotectData$crypt32
                      • API String ID: 2574300362-2380590389
                      • Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                      • Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
                      • Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
                      • Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                      • CloseHandle.KERNEL32(?), ref: 004051CA
                      • SetEvent.KERNEL32(?), ref: 004051D9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseEventHandleObjectSingleWait
                      • String ID: Connection Timeout
                      • API String ID: 2055531096-499159329
                      • Opcode ID: b2d32d1c486696acff87f5af967792298d31230c8842a0f6a1d2fc38208b6c67
                      • Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
                      • Opcode Fuzzy Hash: b2d32d1c486696acff87f5af967792298d31230c8842a0f6a1d2fc38208b6c67
                      • Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                      Download Yara Rule
                      APIs
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E833
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Exception@8Throw
                      • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                      • API String ID: 2005118841-1866435925
                      • Opcode ID: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                      • Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
                      • Opcode Fuzzy Hash: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
                      • Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041381F
                      • RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0040F823,pth_unenc,004752D8), ref: 0041384D
                      • RegCloseKey.ADVAPI32(004752D8,?,0040F823,pth_unenc,004752D8), ref: 00413858
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseCreateValue
                      • String ID: pth_unenc
                      • API String ID: 1818849710-4028850238
                      • Opcode ID: 05bf175528813bc9b9993d83c1793f80e43b850aacd1f889012fd8a578c3b476
                      • Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
                      • Opcode Fuzzy Hash: 05bf175528813bc9b9993d83c1793f80e43b850aacd1f889012fd8a578c3b476
                      • Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                      Download Yara Rule
                      APIs
                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0
                        • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
                        • Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E016
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                      • String ID: bad locale name
                      • API String ID: 3628047217-1405518554
                      • Opcode ID: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                      • Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
                      • Opcode Fuzzy Hash: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
                      • Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
                      • ShowWindow.USER32(00000009), ref: 00416C61
                      • SetForegroundWindow.USER32 ref: 00416C6D
                        • Part of subcall function 0041CD9B: AllocConsole.KERNEL32(00475338), ref: 0041CDA4
                        • Part of subcall function 0041CD9B: GetConsoleWindow.KERNEL32 ref: 0041CDAA
                        • Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
                        • Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                      • String ID: !D@
                      • API String ID: 186401046-604454484
                      • Opcode ID: e059714e8af422b030354d623efbd6a9b9292f4f91efc962f73d79e52ecb3699
                      • Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
                      • Opcode Fuzzy Hash: e059714e8af422b030354d623efbd6a9b9292f4f91efc962f73d79e52ecb3699
                      • Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExecuteShell
                      • String ID: /C $cmd.exe$open
                      • API String ID: 587946157-3896048727
                      • Opcode ID: 4ad490e0fde3b647c583a86c80413934cd69158f8dfa8dfee57c8354f6faf088
                      • Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
                      • Opcode Fuzzy Hash: 4ad490e0fde3b647c583a86c80413934cd69158f8dfa8dfee57c8354f6faf088
                      • Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040B869 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22fileCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B876
                      • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8A1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: DeleteDirectoryFileRemove
                      • String ID: hdF$pth_unenc
                      • API String ID: 3325800564-514923600
                      • Opcode ID: a0279363c5a25902ec7a11d25b89e924bfdaaad508c09a6524f83826895f7699
                      • Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
                      • Opcode Fuzzy Hash: a0279363c5a25902ec7a11d25b89e924bfdaaad508c09a6524f83826895f7699
                      • Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                      Download Yara Rule
                      APIs
                      • TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
                      • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B8C7
                      • TerminateThread.KERNEL32(Function_0000A267,00000000,?,pth_unenc), ref: 0040B8D5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: TerminateThread$HookUnhookWindows
                      • String ID: pth_unenc
                      • API String ID: 3123878439-4028850238
                      • Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                      • Instruction ID: 1c21f009177841ea8acfe7f5b61a435624369701cc7e40c150536a334dec3301
                      • Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
                      • Instruction Fuzzy Hash: 4AE01272205356EFD7241FA09C988267BEEDA0478A324487EF2C3626B1CA794C10CB5D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: __alldvrm$_strrchr
                      • String ID:
                      • API String ID: 1036877536-0
                      • Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                      • Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
                      • Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
                      • Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                      • Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
                      • Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
                      • Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • [Cleared browsers logins and cookies.], xrefs: 0040C0E4
                      • Cleared browsers logins and cookies., xrefs: 0040C0F5
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep
                      • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                      • API String ID: 3472027048-1236744412
                      • Opcode ID: bc362d70cf4f5ad946d2d6bce893b7e03ef5b56e408b8141a290fd3d2dbf3af0
                      • Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
                      • Opcode Fuzzy Hash: bc362d70cf4f5ad946d2d6bce893b7e03ef5b56e408b8141a290fd3d2dbf3af0
                      • Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004126DB Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004136F8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                        • Part of subcall function 004136F8: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                        • Part of subcall function 004136F8: RegCloseKey.KERNEL32(00000000), ref: 00413738
                      • Sleep.KERNEL32(00000BB8), ref: 0041277A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CloseOpenQuerySleepValue
                      • String ID: 8SG$exepath$hdF
                      • API String ID: 4119054056-3379396883
                      • Opcode ID: abf20036ad70d98174a07eb652c7711c4b2f7adaf8a1d534f2fe302cffeed402
                      • Instruction ID: f3cf03c5a64ef847c6da3637c810c9cb64e8e240b2c65477c235684d5dc29c85
                      • Opcode Fuzzy Hash: abf20036ad70d98174a07eb652c7711c4b2f7adaf8a1d534f2fe302cffeed402
                      • Instruction Fuzzy Hash: B52148A0B0030427DA00B7366D46EBF724E8B84318F40443FB916E72D3EEBC9C48426D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041C551: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C561
                        • Part of subcall function 0041C551: GetWindowTextLengthW.USER32(00000000), ref: 0041C56A
                        • Part of subcall function 0041C551: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C594
                      • Sleep.KERNEL32(000001F4), ref: 0040A573
                      • Sleep.KERNEL32(00000064), ref: 0040A5FD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Window$SleepText$ForegroundLength
                      • String ID: [ $ ]
                      • API String ID: 3309952895-93608704
                      • Opcode ID: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
                      • Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
                      • Opcode Fuzzy Hash: 31279ddc9ac779b407beafc78fb4a7c612abc736342ec11431a77cc1334fcb89
                      • Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041B7FF Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: SystemTimes$Sleep__aulldiv
                      • String ID:
                      • API String ID: 188215759-0
                      • Opcode ID: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                      • Instruction ID: 72b4c32e7059473e424b83a6cc96647c38f9827b21069785d395d2d8421d6a64
                      • Opcode Fuzzy Hash: 1460bbf00a7581670417fcbf42b3a1dfd5e2489cdc62901d12e8026d78940c5d
                      • Instruction Fuzzy Hash: B0113D7A5083456BD304FAB5CC85DEB7BACEAC4654F040A3EF54A82051FE68EA4886A5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                      • Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
                      • Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
                      • Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                      • Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
                      • Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
                      • Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
                      • GetLastError.KERNEL32(?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: LibraryLoad$ErrorLast
                      • String ID:
                      • API String ID: 3177248105-0
                      • Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                      • Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
                      • Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
                      • Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C4B2
                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C4D7
                      • CloseHandle.KERNEL32(00000000), ref: 0041C4E5
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CloseCreateHandleReadSize
                      • String ID:
                      • API String ID: 3919263394-0
                      • Opcode ID: b5e3200c466b265101f42b470097a5df982af49012dad84e5cfda8818ecad7ff
                      • Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
                      • Opcode Fuzzy Hash: b5e3200c466b265101f42b470097a5df982af49012dad84e5cfda8818ecad7ff
                      • Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___BuildCatchObject.LIBVCRUNTIME ref: 0043987A
                        • Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC
                      • _UnwindNestedFrames.LIBCMT ref: 00439891
                      • ___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
                      • CallCatchBlock.LIBVCRUNTIME ref: 004398C7
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                      • String ID:
                      • API String ID: 2633735394-0
                      • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                      • Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
                      • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                      • Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                      Download Yara Rule
                      APIs
                      • GetSystemMetrics.USER32(0000004C), ref: 004193F0
                      • GetSystemMetrics.USER32(0000004D), ref: 004193F6
                      • GetSystemMetrics.USER32(0000004E), ref: 004193FC
                      • GetSystemMetrics.USER32(0000004F), ref: 00419402
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: MetricsSystem
                      • String ID:
                      • API String ID: 4116985748-0
                      • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                      • Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
                      • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                      • Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                      Download Yara Rule
                      APIs
                      • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
                      • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
                      • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B
                        • Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B
                      • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                      • String ID:
                      • API String ID: 1761009282-0
                      • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                      • Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
                      • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                      • Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                      Download Yara Rule
                      APIs
                      • __startOneArgErrorHandling.LIBCMT ref: 00442CED
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorHandling__start
                      • String ID: pow
                      • API String ID: 3213639722-2276729525
                      • Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                      • Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
                      • Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
                      • Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00418A92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                      Download Yara Rule
                      APIs
                      • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418ABE
                        • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                      • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B0B
                        • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                        • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                      • String ID: image/jpeg
                      • API String ID: 1291196975-3785015651
                      • Opcode ID: d9a19672ec4dc75711255ce94c2c2311e4e29857de9186f34d814f6d2a4cbe43
                      • Instruction ID: 71c7567624fb1f0fb67e5b365d5baafb3eed0516d04e2b9615b8e3d4f66a2876
                      • Opcode Fuzzy Hash: d9a19672ec4dc75711255ce94c2c2311e4e29857de9186f34d814f6d2a4cbe43
                      • Instruction Fuzzy Hash: 13317F71504300AFC301EF65CC84DAFB7E9FF8A704F00496EF985A7251DB7999448BA6
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: ACP$OCP
                      • API String ID: 0-711371036
                      • Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                      • Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
                      • Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
                      • Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00418B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                      Download Yara Rule
                      APIs
                      • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BAA
                        • Part of subcall function 00418656: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418AD1,00000000,?,?,?,?,00000000), ref: 0041866A
                      • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418BCF
                        • Part of subcall function 004186CB: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B27,00000000,?,?), ref: 004186DD
                        • Part of subcall function 00418679: GdipDisposeImage.GDIPLUS(?,00418B82), ref: 00418682
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                      • String ID: image/png
                      • API String ID: 1291196975-2966254431
                      • Opcode ID: d4f259a593197f1d9dbe7f79535cfb99d89987488e7eb69950e532603a38181c
                      • Instruction ID: c6f894421d6f6d4ca6915e56eba1d7ff3797fde04a376feef2065c2e579c4a83
                      • Opcode Fuzzy Hash: d4f259a593197f1d9dbe7f79535cfb99d89987488e7eb69950e532603a38181c
                      • Instruction Fuzzy Hash: 30219371204211AFC705EB61CC88CBFBBADEFCA754F10092EF54693161DB399945CBA6
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030
                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                      • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087
                      Strings
                      • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: LocalTime
                      • String ID: KeepAlive | Enabled | Timeout:
                      • API String ID: 481472006-1507639952
                      • Opcode ID: d7ff175fedf05b7445783633cdb62c4b571b838359eb1ad13fe403eca5861c2a
                      • Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
                      • Opcode Fuzzy Hash: d7ff175fedf05b7445783633cdb62c4b571b838359eb1ad13fe403eca5861c2a
                      • Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32 ref: 00416640
                      • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: DownloadFileSleep
                      • String ID: !D@
                      • API String ID: 1931167962-604454484
                      • Opcode ID: a0ec73807b07b55f12d7be1e643fec4cddf46813b039fcbaa5035cf5dcd737ac
                      • Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
                      • Opcode Fuzzy Hash: a0ec73807b07b55f12d7be1e643fec4cddf46813b039fcbaa5035cf5dcd737ac
                      • Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetLocalTime.KERNEL32(00000000), ref: 0041B509
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: LocalTime
                      • String ID: | $%02i:%02i:%02i:%03i
                      • API String ID: 481472006-2430845779
                      • Opcode ID: cfeb685ec421024236c3fe8a582943f52c7b46feb71b451bddb7413a3931a58d
                      • Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
                      • Opcode Fuzzy Hash: cfeb685ec421024236c3fe8a582943f52c7b46feb71b451bddb7413a3931a58d
                      • Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                      Download Yara Rule
                      APIs
                      • PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExistsFilePath
                      • String ID: alarm.wav$hYG
                      • API String ID: 1174141254-2782910960
                      • Opcode ID: 8bb715c861777828018c0efb95e7b3ddf71d1be237a3fc970ce687e59d2cfd9b
                      • Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
                      • Opcode Fuzzy Hash: 8bb715c861777828018c0efb95e7b3ddf71d1be237a3fc970ce687e59d2cfd9b
                      • Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                        • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                        • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                      • CloseHandle.KERNEL32(?), ref: 0040B0B4
                      • UnhookWindowsHookEx.USER32 ref: 0040B0C7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                      • String ID: Online Keylogger Stopped
                      • API String ID: 1623830855-1496645233
                      • Opcode ID: 33f513a8367aa60c9c39e45db4b09adeb783fa014ebf533a38ecdd59b48b7fa1
                      • Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
                      • Opcode Fuzzy Hash: 33f513a8367aa60c9c39e45db4b09adeb783fa014ebf533a38ecdd59b48b7fa1
                      • Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0044F077 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
                        • Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
                        • Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
                        • Part of subcall function 00448215: _abort.LIBCMT ref: 00448293
                      • _abort.LIBCMT ref: 0044F0A9
                      • _free.LIBCMT ref: 0044F0DD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast_abort_free
                      • String ID: @PL
                      • API String ID: 289325740-1242170429
                      • Opcode ID: 2e9ada046b615cce909465303d253cbb0255e834f3ab9ea9ae3315e12a655f22
                      • Instruction ID: 2af8ca7d7d9da888dd2a293bb18e2fdfe9fbdc3dbac3c8495f7aa1b7b8b1e2f7
                      • Opcode Fuzzy Hash: 2e9ada046b615cce909465303d253cbb0255e834f3ab9ea9ae3315e12a655f22
                      • Instruction Fuzzy Hash: F2010871D01A218FEB30AF6A840125EB7A0BF44715B15422FE52863352CB7C6D46CFCE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      • waveInPrepareHeader.WINMM(004CDC50,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                      • waveInAddBuffer.WINMM(004CDC50,00000020,?,00000000,00401A15), ref: 0040185F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: wave$BufferHeaderPrepare
                      • String ID: XMG
                      • API String ID: 2315374483-813777761
                      • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                      • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                      • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                      • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0044378C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID: $G
                      • API String ID: 269201875-4251033865
                      • Opcode ID: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                      • Instruction ID: ffc8389238c956ab6c1ca4f2b01b58cd1871601a5e35f3520dab429f03a8b914
                      • Opcode Fuzzy Hash: 061f1d377262398e84625751e00800f7b3b9231d747b7f71bcbf8f837b64f860
                      • Instruction Fuzzy Hash: 7DE0E592A0182014F6717A3F6C0575B0545CBC2B7FF11833BF538861C1CFAC4A46519E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: LocaleValid
                      • String ID: IsValidLocaleName$JD
                      • API String ID: 1901932003-2234456777
                      • Opcode ID: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                      • Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
                      • Opcode Fuzzy Hash: 98bf4732c76f9d0cbfb8c103c3b900cf5be1bffc9926f7dc5154a94851103fac
                      • Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C4F6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExistsFilePath
                      • String ID: UserProfile$\AppData\Local\Google\Chrome\
                      • API String ID: 1174141254-4188645398
                      • Opcode ID: f1acc3cc63483105fb3c6833ea2415d43d59c245a1346c36ac9ceb6aca08711c
                      • Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
                      • Opcode Fuzzy Hash: f1acc3cc63483105fb3c6833ea2415d43d59c245a1346c36ac9ceb6aca08711c
                      • Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                      • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C559
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExistsFilePath
                      • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                      • API String ID: 1174141254-2800177040
                      • Opcode ID: 911eca338311f85069e2af4ccc8ed928932e81e1ee07fccbbe9b002445cdb3b1
                      • Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
                      • Opcode Fuzzy Hash: 911eca338311f85069e2af4ccc8ed928932e81e1ee07fccbbe9b002445cdb3b1
                      • Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                      • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5BC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExistsFilePath
                      • String ID: AppData$\Opera Software\Opera Stable\
                      • API String ID: 1174141254-1629609700
                      • Opcode ID: 25af406674ba748cf22b69dac7a276e1c55e1f7e049a59cb8dfb70449f372998
                      • Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
                      • Opcode Fuzzy Hash: 25af406674ba748cf22b69dac7a276e1c55e1f7e049a59cb8dfb70449f372998
                      • Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004437E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID: $G
                      • API String ID: 269201875-4251033865
                      • Opcode ID: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                      • Instruction ID: d76a88c3c7e0b504eff74fb84b9f6db8507cba8af1ea4ea387731c34734dfbbf
                      • Opcode Fuzzy Hash: 0ad43b1214ad8572508d9786c92e0b088e9d3dbafa2474dd36ac496255489d68
                      • Instruction Fuzzy Hash: AAE0E562A0182040F675BA3F2D05B9B49C5DB8173BF11433BF538861C1DFAC4A4251AE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyState.USER32(00000011), ref: 0040B64B
                        • Part of subcall function 0040A3E0: GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A416
                        • Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
                        • Part of subcall function 0040A3E0: GetKeyboardLayout.USER32(00000000), ref: 0040A429
                        • Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
                        • Part of subcall function 0040A3E0: GetKeyboardState.USER32(?,?,004750F0), ref: 0040A43E
                        • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A461
                        • Part of subcall function 0040A3E0: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4C1
                        • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                      • String ID: [AltL]$[AltR]
                      • API String ID: 2738857842-2658077756
                      • Opcode ID: dd2f914049f4f370ef2f5aa51de3004961a69ba16bdb171d6c04a041743c3e8a
                      • Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
                      • Opcode Fuzzy Hash: dd2f914049f4f370ef2f5aa51de3004961a69ba16bdb171d6c04a041743c3e8a
                      • Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                      • GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
                      • GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: uD
                      • API String ID: 0-2547262877
                      • Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                      • Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
                      • Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
                      • Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExecuteShell
                      • String ID: !D@$open
                      • API String ID: 587946157-1586967515
                      • Opcode ID: 28875262e4bf0174853db4a5e6fd65081a004c09e6690994ece775789ea22bec
                      • Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
                      • Opcode Fuzzy Hash: 28875262e4bf0174853db4a5e6fd65081a004c09e6690994ece775789ea22bec
                      • Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyState.USER32(00000012), ref: 0040B6A5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: State
                      • String ID: [CtrlL]$[CtrlR]
                      • API String ID: 1649606143-2446555240
                      • Opcode ID: f934f2a7f97c34cec8605a65b064942ce57b78f2774506a061fea1d29b3ee07f
                      • Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
                      • Opcode Fuzzy Hash: f934f2a7f97c34cec8605a65b064942ce57b78f2774506a061fea1d29b3ee07f
                      • Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776
                      • __Init_thread_footer.LIBCMT ref: 00410F29
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: Init_thread_footer__onexit
                      • String ID: ,kG$0kG
                      • API String ID: 1881088180-2015055088
                      • Opcode ID: f9f143b1e95ac96eb86707cb7474d167dbc7ad60067a617d51a8135112e2f0db
                      • Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
                      • Opcode Fuzzy Hash: f9f143b1e95ac96eb86707cb7474d167dbc7ad60067a617d51a8135112e2f0db
                      • Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D144,00000000,004752D8,004752F0,?,pth_unenc), ref: 00413A31
                      • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A45
                      Strings
                      • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: DeleteOpenValue
                      • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                      • API String ID: 2654517830-1051519024
                      • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                      • Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
                      • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                      • Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00412850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
                      • WaitForSingleObject.KERNEL32(000000FF), ref: 00412873
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ObjectProcessSingleTerminateWait
                      • String ID: pth_unenc
                      • API String ID: 1872346434-4028850238
                      • Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                      • Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
                      • Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
                      • Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0044F30A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: CommandLine
                      • String ID: 'K
                      • API String ID: 3253501508-4240946575
                      • Opcode ID: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                      • Instruction ID: 694146ce0b361bd31d1980ce40e18c0a636997d79f12e70286e675221abc8fda
                      • Opcode Fuzzy Hash: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                      • Instruction Fuzzy Hash: CBB04878800753CB97108F21AA0C0853FA0B30820238020B6940A92A21EB7885868A08
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
                      • GetLastError.KERNEL32 ref: 00440D35
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharMultiWide$ErrorLast
                      • String ID:
                      • API String ID: 1717984340-0
                      • Opcode ID: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                      • Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
                      • Opcode Fuzzy Hash: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
                      • Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                      Download Yara Rule
                      APIs
                      • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
                      • IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
                      • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C7A
                      • SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91
                      Memory Dump Source
                      • Source File: 00000000.00000002.3810430340.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.3810414858.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810520242.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810544312.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.3810573238.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_1713934625194381993b7036c2f81df0c4f94527f4e7bb43abdf90d09e24f7ee13cf33.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLastRead
                      • String ID:
                      • API String ID: 4100373531-0
                      • Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                      • Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
                      • Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
                      • Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99
                      Uniqueness

                      Uniqueness Score: -1.00%