Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe

Overview

General Information

Sample name:172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe
Analysis ID:1515272
MD5:77af19d8b1cbbd2762ba3eb3ef2bf9df
SHA1:a3894af5241f86d8094ccc3ec0326dce89c4e65b
SHA256:70fde5e9ea72ec208951adecf91801b752d72390a87d7defb288d67553a446a1
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Uses dynamic DNS services
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "rfwr.duckdns.org:57870:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Disable", "Setup HKLM\\Run": "Disable", "Install path": "System32", "Copy file": "Google.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc$urG9345JRjuDjdGoH-4NTQ1E", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aab8:$a1: Remcos restarted by watchdog!
        • 0x6b030:$a3: %02i:%02i:%02i:%03i
        172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64b7c:$str_b2: Executing file:
        • 0x65bfc:$str_b3: GetDirectListeningPort
        • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65728:$str_b7: \update.vbs
        • 0x64ba4:$str_b9: Downloaded file:
        • 0x64b90:$str_b10: Downloading file:
        • 0x64c34:$str_b12: Failed to upload file:
        • 0x65bc4:$str_b13: StartForward
        • 0x65be4:$str_b14: StopForward
        • 0x65680:$str_b15: fso.DeleteFile "
        • 0x65614:$str_b16: On Error Resume Next
        • 0x656b0:$str_b17: fso.DeleteFolder "
        • 0x64c24:$str_b18: Uploaded file:
        • 0x64be4:$str_b19: Unable to delete:
        • 0x65648:$str_b20: while fso.FileExists("
        • 0x650c1:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.4630144728.000000000227F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000000.2158852443.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              00000000.00000000.2158852443.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                00000000.00000000.2158852443.0000000000459000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  00000000.00000000.2158852443.0000000000459000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x134b8:$a1: Remcos restarted by watchdog!
                  • 0x13a30:$a3: %02i:%02i:%02i:%03i
                  Click to see the 9 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.2.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    0.2.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                      0.2.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                        0.2.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                        • 0x6aab8:$a1: Remcos restarted by watchdog!
                        • 0x6b030:$a3: %02i:%02i:%02i:%03i
                        0.2.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                        • 0x64b0c:$str_a1: C:\Windows\System32\cmd.exe
                        • 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                        • 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                        • 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                        • 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                        • 0x64b7c:$str_b2: Executing file:
                        • 0x65bfc:$str_b3: GetDirectListeningPort
                        • 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                        • 0x65728:$str_b7: \update.vbs
                        • 0x64ba4:$str_b9: Downloaded file:
                        • 0x64b90:$str_b10: Downloading file:
                        • 0x64c34:$str_b12: Failed to upload file:
                        • 0x65bc4:$str_b13: StartForward
                        • 0x65be4:$str_b14: StopForward
                        • 0x65680:$str_b15: fso.DeleteFile "
                        • 0x65614:$str_b16: On Error Resume Next
                        • 0x656b0:$str_b17: fso.DeleteFolder "
                        • 0x64c24:$str_b18: Uploaded file:
                        • 0x64be4:$str_b19: Unable to delete:
                        • 0x65648:$str_b20: while fso.FileExists("
                        • 0x650c1:$str_c0: [Firefox StoredLogins not found]
                        Click to see the 7 entries

                        Sigma Signatures

                        Stealing of Sensitive Information

                        barindex
                        Sigma detected: Remcos
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, ProcessId: 4340, TargetFilename: C:\ProgramData\remcos\logs.dat

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-09-22T06:59:09.509339+020020365941Malware Command and Control Activity Detected192.168.2.64971145.135.232.3857870TCP
                        2024-09-22T06:59:12.324458+020020365941Malware Command and Control Activity Detected192.168.2.64971245.135.232.3857870TCP
                        2024-09-22T06:59:15.088957+020020365941Malware Command and Control Activity Detected192.168.2.64971345.135.232.3857870TCP
                        2024-09-22T06:59:17.873873+020020365941Malware Command and Control Activity Detected192.168.2.64971545.135.232.3857870TCP
                        2024-09-22T06:59:20.649442+020020365941Malware Command and Control Activity Detected192.168.2.64971645.135.232.3857870TCP
                        2024-09-22T06:59:23.395559+020020365941Malware Command and Control Activity Detected192.168.2.64971745.135.232.3857870TCP
                        2024-09-22T06:59:26.145088+020020365941Malware Command and Control Activity Detected192.168.2.64972145.135.232.3857870TCP
                        2024-09-22T06:59:28.897541+020020365941Malware Command and Control Activity Detected192.168.2.64972345.135.232.3857870TCP
                        2024-09-22T06:59:31.663859+020020365941Malware Command and Control Activity Detected192.168.2.64972445.135.232.3857870TCP
                        2024-09-22T06:59:34.433409+020020365941Malware Command and Control Activity Detected192.168.2.64972545.135.232.3857870TCP
                        2024-09-22T06:59:37.197603+020020365941Malware Command and Control Activity Detected192.168.2.64972645.135.232.3857870TCP
                        2024-09-22T06:59:39.944401+020020365941Malware Command and Control Activity Detected192.168.2.64972745.135.232.3857870TCP
                        2024-09-22T06:59:42.730131+020020365941Malware Command and Control Activity Detected192.168.2.64972845.135.232.3857870TCP
                        2024-09-22T06:59:45.489837+020020365941Malware Command and Control Activity Detected192.168.2.64972945.135.232.3857870TCP
                        2024-09-22T06:59:48.463087+020020365941Malware Command and Control Activity Detected192.168.2.64973145.135.232.3857870TCP
                        2024-09-22T06:59:51.227278+020020365941Malware Command and Control Activity Detected192.168.2.64973245.135.232.3857870TCP
                        2024-09-22T06:59:54.292844+020020365941Malware Command and Control Activity Detected192.168.2.64973345.135.232.3857870TCP
                        2024-09-22T06:59:57.074322+020020365941Malware Command and Control Activity Detected192.168.2.64973445.135.232.3857870TCP
                        2024-09-22T06:59:59.849373+020020365941Malware Command and Control Activity Detected192.168.2.64973545.135.232.3857870TCP
                        2024-09-22T07:00:03.353856+020020365941Malware Command and Control Activity Detected192.168.2.64973745.135.232.3857870TCP
                        2024-09-22T07:00:06.131831+020020365941Malware Command and Control Activity Detected192.168.2.64973845.135.232.3857870TCP
                        2024-09-22T07:00:08.948867+020020365941Malware Command and Control Activity Detected192.168.2.64973945.135.232.3857870TCP
                        2024-09-22T07:00:12.604913+020020365941Malware Command and Control Activity Detected192.168.2.64974145.135.232.3857870TCP
                        2024-09-22T07:00:15.382969+020020365941Malware Command and Control Activity Detected192.168.2.64974245.135.232.3857870TCP
                        2024-09-22T07:00:18.198061+020020365941Malware Command and Control Activity Detected192.168.2.64974345.135.232.3857870TCP
                        2024-09-22T07:00:21.321613+020020365941Malware Command and Control Activity Detected192.168.2.64974445.135.232.3857870TCP
                        2024-09-22T07:00:24.263967+020020365941Malware Command and Control Activity Detected192.168.2.64974545.135.232.3857870TCP
                        2024-09-22T07:00:27.152347+020020365941Malware Command and Control Activity Detected192.168.2.64974645.135.232.3857870TCP
                        2024-09-22T07:00:30.705945+020020365941Malware Command and Control Activity Detected192.168.2.64974745.135.232.3857870TCP
                        2024-09-22T07:00:33.445641+020020365941Malware Command and Control Activity Detected192.168.2.64974845.135.232.3857870TCP
                        2024-09-22T07:00:36.615660+020020365941Malware Command and Control Activity Detected192.168.2.64974945.135.232.3857870TCP
                        2024-09-22T07:00:40.227071+020020365941Malware Command and Control Activity Detected192.168.2.64975045.135.232.3857870TCP
                        2024-09-22T07:00:43.456572+020020365941Malware Command and Control Activity Detected192.168.2.64975245.135.232.3857870TCP
                        2024-09-22T07:00:46.228250+020020365941Malware Command and Control Activity Detected192.168.2.64975345.135.232.3857870TCP
                        2024-09-22T07:00:48.948963+020020365941Malware Command and Control Activity Detected192.168.2.64975445.135.232.3857870TCP
                        2024-09-22T07:00:51.717426+020020365941Malware Command and Control Activity Detected192.168.2.64975545.135.232.3857870TCP
                        2024-09-22T07:00:54.371885+020020365941Malware Command and Control Activity Detected192.168.2.64975645.135.232.3857870TCP
                        2024-09-22T07:00:57.985617+020020365941Malware Command and Control Activity Detected192.168.2.64975745.135.232.3857870TCP
                        2024-09-22T07:01:00.629284+020020365941Malware Command and Control Activity Detected192.168.2.64975845.135.232.3857870TCP
                        2024-09-22T07:01:03.292013+020020365941Malware Command and Control Activity Detected192.168.2.64975945.135.232.3857870TCP
                        2024-09-22T07:01:05.897146+020020365941Malware Command and Control Activity Detected192.168.2.64976045.135.232.3857870TCP
                        2024-09-22T07:01:08.448576+020020365941Malware Command and Control Activity Detected192.168.2.64976145.135.232.3857870TCP
                        2024-09-22T07:01:11.012143+020020365941Malware Command and Control Activity Detected192.168.2.64976245.135.232.3857870TCP
                        2024-09-22T07:01:13.653414+020020365941Malware Command and Control Activity Detected192.168.2.64976345.135.232.3857870TCP
                        2024-09-22T07:01:16.106592+020020365941Malware Command and Control Activity Detected192.168.2.64976445.135.232.3857870TCP
                        2024-09-22T07:01:18.593012+020020365941Malware Command and Control Activity Detected192.168.2.64976545.135.232.3857870TCP
                        2024-09-22T07:01:20.980274+020020365941Malware Command and Control Activity Detected192.168.2.64976645.135.232.3857870TCP
                        2024-09-22T07:01:23.320106+020020365941Malware Command and Control Activity Detected192.168.2.64976845.135.232.3857870TCP
                        2024-09-22T07:01:25.712219+020020365941Malware Command and Control Activity Detected192.168.2.64976945.135.232.3857870TCP
                        2024-09-22T07:01:28.075708+020020365941Malware Command and Control Activity Detected192.168.2.64977045.135.232.3857870TCP
                        2024-09-22T07:01:30.390101+020020365941Malware Command and Control Activity Detected192.168.2.64977145.135.232.3857870TCP
                        2024-09-22T07:01:32.663479+020020365941Malware Command and Control Activity Detected192.168.2.64977245.135.232.3857870TCP
                        2024-09-22T07:01:34.914133+020020365941Malware Command and Control Activity Detected192.168.2.64977345.135.232.3857870TCP
                        2024-09-22T07:01:37.170958+020020365941Malware Command and Control Activity Detected192.168.2.64977445.135.232.3857870TCP
                        2024-09-22T07:01:39.399535+020020365941Malware Command and Control Activity Detected192.168.2.64977545.135.232.3857870TCP
                        2024-09-22T07:01:41.639788+020020365941Malware Command and Control Activity Detected192.168.2.64977645.135.232.3857870TCP
                        2024-09-22T07:01:43.853528+020020365941Malware Command and Control Activity Detected192.168.2.64977745.135.232.3857870TCP
                        2024-09-22T07:01:46.045606+020020365941Malware Command and Control Activity Detected192.168.2.64977845.135.232.3857870TCP
                        2024-09-22T07:01:48.231091+020020365941Malware Command and Control Activity Detected192.168.2.64977945.135.232.3857870TCP
                        2024-09-22T07:01:50.385558+020020365941Malware Command and Control Activity Detected192.168.2.64978045.135.232.3857870TCP
                        2024-09-22T07:01:52.541586+020020365941Malware Command and Control Activity Detected192.168.2.64978145.135.232.3857870TCP
                        2024-09-22T07:01:54.685570+020020365941Malware Command and Control Activity Detected192.168.2.64978245.135.232.3857870TCP
                        2024-09-22T07:01:56.799430+020020365941Malware Command and Control Activity Detected192.168.2.64978345.135.232.3857870TCP
                        2024-09-22T07:01:58.900384+020020365941Malware Command and Control Activity Detected192.168.2.64978445.135.232.3857870TCP
                        2024-09-22T07:02:01.045620+020020365941Malware Command and Control Activity Detected192.168.2.64978545.135.232.3857870TCP
                        2024-09-22T07:02:03.191764+020020365941Malware Command and Control Activity Detected192.168.2.64978645.135.232.3857870TCP
                        2024-09-22T07:02:05.416385+020020365941Malware Command and Control Activity Detected192.168.2.64978745.135.232.3857870TCP
                        2024-09-22T07:02:08.275837+020020365941Malware Command and Control Activity Detected192.168.2.64978845.135.232.3857870TCP
                        2024-09-22T07:02:10.371779+020020365941Malware Command and Control Activity Detected192.168.2.64978945.135.232.3857870TCP
                        2024-09-22T07:02:12.417597+020020365941Malware Command and Control Activity Detected192.168.2.64979045.135.232.3857870TCP
                        2024-09-22T07:02:14.609576+020020365941Malware Command and Control Activity Detected192.168.2.64979145.135.232.3857870TCP
                        2024-09-22T07:02:16.697554+020020365941Malware Command and Control Activity Detected192.168.2.64979245.135.232.3857870TCP
                        2024-09-22T07:02:18.766746+020020365941Malware Command and Control Activity Detected192.168.2.64979345.135.232.3857870TCP
                        2024-09-22T07:02:20.793640+020020365941Malware Command and Control Activity Detected192.168.2.64979445.135.232.3857870TCP
                        2024-09-22T07:02:22.793666+020020365941Malware Command and Control Activity Detected192.168.2.64979545.135.232.3857870TCP
                        2024-09-22T07:02:24.797528+020020365941Malware Command and Control Activity Detected192.168.2.64979645.135.232.3857870TCP
                        2024-09-22T07:02:26.793556+020020365941Malware Command and Control Activity Detected192.168.2.64979745.135.232.3857870TCP
                        2024-09-22T07:02:28.813401+020020365941Malware Command and Control Activity Detected192.168.2.64979845.135.232.3857870TCP
                        2024-09-22T07:02:30.775691+020020365941Malware Command and Control Activity Detected192.168.2.64979945.135.232.3857870TCP
                        2024-09-22T07:02:32.752169+020020365941Malware Command and Control Activity Detected192.168.2.64980045.135.232.3857870TCP
                        2024-09-22T07:02:34.715224+020020365941Malware Command and Control Activity Detected192.168.2.64980145.135.232.3857870TCP
                        2024-09-22T07:02:36.682098+020020365941Malware Command and Control Activity Detected192.168.2.64980245.135.232.3857870TCP
                        2024-09-22T07:02:38.644458+020020365941Malware Command and Control Activity Detected192.168.2.64980345.135.232.3857870TCP
                        2024-09-22T07:02:40.601792+020020365941Malware Command and Control Activity Detected192.168.2.64980445.135.232.3857870TCP
                        2024-09-22T07:02:42.545587+020020365941Malware Command and Control Activity Detected192.168.2.64980545.135.232.3857870TCP
                        2024-09-22T07:02:44.545963+020020365941Malware Command and Control Activity Detected192.168.2.64980645.135.232.3857870TCP
                        2024-09-22T07:02:46.446047+020020365941Malware Command and Control Activity Detected192.168.2.64980745.135.232.3857870TCP
                        2024-09-22T07:02:48.374103+020020365941Malware Command and Control Activity Detected192.168.2.64980845.135.232.3857870TCP
                        2024-09-22T07:02:50.300609+020020365941Malware Command and Control Activity Detected192.168.2.64980945.135.232.3857870TCP
                        2024-09-22T07:02:52.211501+020020365941Malware Command and Control Activity Detected192.168.2.64981145.135.232.3857870TCP
                        2024-09-22T07:02:54.155294+020020365941Malware Command and Control Activity Detected192.168.2.64981245.135.232.3857870TCP
                        2024-09-22T07:02:56.059662+020020365941Malware Command and Control Activity Detected192.168.2.64981345.135.232.3857870TCP
                        2024-09-22T07:02:57.961526+020020365941Malware Command and Control Activity Detected192.168.2.64981445.135.232.3857870TCP
                        2024-09-22T07:02:59.851929+020020365941Malware Command and Control Activity Detected192.168.2.64981545.135.232.3857870TCP
                        2024-09-22T07:03:01.852610+020020365941Malware Command and Control Activity Detected192.168.2.64981645.135.232.3857870TCP
                        2024-09-22T07:03:03.733062+020020365941Malware Command and Control Activity Detected192.168.2.64981745.135.232.3857870TCP
                        2024-09-22T07:03:05.608546+020020365941Malware Command and Control Activity Detected192.168.2.64981845.135.232.3857870TCP
                        2024-09-22T07:03:07.597547+020020365941Malware Command and Control Activity Detected192.168.2.64981945.135.232.3857870TCP
                        2024-09-22T07:03:09.473630+020020365941Malware Command and Control Activity Detected192.168.2.64982045.135.232.3857870TCP
                        2024-09-22T07:03:11.487558+020020365941Malware Command and Control Activity Detected192.168.2.64982145.135.232.3857870TCP
                        2024-09-22T07:03:13.413002+020020365941Malware Command and Control Activity Detected192.168.2.64982245.135.232.3857870TCP
                        2024-09-22T07:03:15.423340+020020365941Malware Command and Control Activity Detected192.168.2.64982345.135.232.3857870TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeAvira: detected
                        Antivirus detection for URL or domain
                        Source: rfwr.duckdns.orgAvira URL Cloud: Label: malware
                        Found malware configuration
                        Source: 00000000.00000002.4629994767.000000000055E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "rfwr.duckdns.org:57870:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Disable", "Setup HKLM\\Run": "Disable", "Install path": "System32", "Copy file": "Google.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc$urG9345JRjuDjdGoH-4NTQ1E", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                        Multi AV Scanner detection for submitted file
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeReversingLabs: Detection: 84%
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeVirustotal: Detection: 78%Perma Link
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4630144728.000000000227F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2158852443.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4629994767.000000000055E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe PID: 4340, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for sample
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_004338C8
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_cf07908a-4

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2158852443.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe PID: 4340, type: MEMORYSTR

                        Privilege Escalation

                        barindex
                        Contains functionality to bypass UAC (CMSTPLUA)
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00407538 _wcslen,CoGetObject,0_2_00407538
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0044E8F9 FindFirstFileExA,0_2_0044E8F9
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49711 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49715 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49729 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49749 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49713 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49735 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49761 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49817 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49784 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49775 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49724 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49776 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49797 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49734 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49712 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49725 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49739 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49744 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49717 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49716 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49764 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49753 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49745 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49754 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49786 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49780 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49747 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49802 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49768 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49820 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49778 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49787 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49815 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49756 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49823 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49806 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49727 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49759 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49790 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49741 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49721 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49752 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49758 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49785 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49733 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49777 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49728 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49738 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49770 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49783 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49760 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49731 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49742 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49772 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49788 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49723 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49779 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49766 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49814 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49726 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49748 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49773 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49816 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49805 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49769 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49746 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49809 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49781 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49737 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49804 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49793 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49762 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49796 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49782 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49803 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49771 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49763 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49750 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49743 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49794 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49791 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49765 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49822 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49812 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49813 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49800 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49819 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49732 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49774 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49808 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49755 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49795 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49792 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49799 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49789 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49807 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49801 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49811 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49818 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49821 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49757 -> 45.135.232.38:57870
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49798 -> 45.135.232.38:57870
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: rfwr.duckdns.org
                        Uses dynamic DNS services
                        Source: unknownDNS query: name: rfwr.duckdns.org
                        Source: global trafficTCP traffic: 192.168.2.6:49711 -> 45.135.232.38:57870
                        Source: Joe Sandbox ViewASN Name: ASBAXETNRU ASBAXETNRU
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00426D42 recv,0_2_00426D42
                        Source: global trafficDNS traffic detected: DNS query: rfwr.duckdns.org
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to register a low level keyboard hook
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000000_2_0040A2F3
                        Installs a global keyboard hook
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004168FC
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,0_2_0040B749
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_0040A41B
                        Source: Yara matchFile source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2158852443.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe PID: 4340, type: MEMORYSTR

                        E-Banking Fraud

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4630144728.000000000227F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2158852443.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4629994767.000000000055E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe PID: 4340, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Contains functionalty to change the wallpaper
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0041CA73 SystemParametersInfoW,0_2_0041CA73

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.2.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.2.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.2.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.0.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.0.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.0.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 00000000.00000000.2158852443.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe PID: 4340, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeProcess Stats: CPU usage > 49%
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,0_2_0041330D
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle,0_2_0041BBC6
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041BB9A
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004167EF
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0043706A0_2_0043706A
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_004140050_2_00414005
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0043E11C0_2_0043E11C
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_004541D90_2_004541D9
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_004381E80_2_004381E8
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0041F18B0_2_0041F18B
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_004462700_2_00446270
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0043E34B0_2_0043E34B
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_004533AB0_2_004533AB
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0042742E0_2_0042742E
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_004375660_2_00437566
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0043E5A80_2_0043E5A8
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_004387F00_2_004387F0
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0043797E0_2_0043797E
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_004339D70_2_004339D7
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0044DA490_2_0044DA49
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00427AD70_2_00427AD7
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0041DBF30_2_0041DBF3
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00427C400_2_00427C40
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00437DB30_2_00437DB3
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00435EEB0_2_00435EEB
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0043DEED0_2_0043DEED
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00426E9F0_2_00426E9F
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: String function: 00402093 appears 50 times
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: String function: 00401E65 appears 34 times
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: String function: 00434E70 appears 54 times
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: String function: 00434801 appears 42 times
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.2.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.2.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.2.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.0.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.0.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.0.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 00000000.00000000.2158852443.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe PID: 4340, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/1@5/1
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_0041798D
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040F4AF
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041B539
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc$urG9345JRjuDjdGoH-4NTQ1E
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: pW0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: pW0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: Software\0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: Exe0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: Exe0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: ,aF0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: Inj0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: Inj0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: pW0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: pW0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: pW0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: 8SG0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: exepath0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: pW0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: ,aF0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: 8SG0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: exepath0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: pW0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: licence0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: pW0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: pW0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: pW0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: pW0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: pW0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: pW0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: dMG0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: pW0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: pW0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: PSG0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: Administrator0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: User0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: del0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: del0_2_0040EA00
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCommand line argument: del0_2_0040EA00
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeReversingLabs: Detection: 84%
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeVirustotal: Detection: 78%
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00457186 push ecx; ret 0_2_00457199
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00457AA8 push eax; ret 0_2_00457AC6
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00434EB6 push ecx; ret 0_2_00434EC9
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00406EEB ShellExecuteW,URLDownloadToFileW,0_2_00406EEB
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041AADB
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Delayed program exit found
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0040F7E2 Sleep,ExitProcess,0_2_0040F7E2
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_0041A7D9
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeWindow / User API: threadDelayed 9128Jump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeWindow / User API: foregroundWindowGot 1773Jump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe TID: 3744Thread sleep count: 210 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe TID: 3744Thread sleep time: -105000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe TID: 3420Thread sleep count: 340 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe TID: 3420Thread sleep time: -1020000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe TID: 3420Thread sleep count: 9128 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe TID: 3420Thread sleep time: -27384000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_0040928E
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,0_2_0041C322
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,0_2_0040C388
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004096A0
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00408847
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00407877 FindFirstFileW,FindNextFileW,0_2_00407877
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0044E8F9 FindFirstFileExA,0_2_0044E8F9
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040BB6B
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00419B86
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040BD72
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00407CD2
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, 00000000.00000002.4629994767.000000000055E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-48500
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041CBE1
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00443355 mov eax, dword ptr fs:[00000030h]0_2_00443355
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_004120B2 GetProcessHeap,HeapFree,0_2_004120B2
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043503C
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00434A8A
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043BB71
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00434BD8 SetUnhandledExceptionFilter,0_2_00434BD8
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00412132
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00419662 mouse_event,0_2_00419662
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, 00000000.00000002.4629994767.000000000055E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managery_I
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, 00000000.00000002.4629994767.000000000055E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, 00000000.00000002.4629994767.000000000055E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managera
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, 00000000.00000002.4629994767.000000000055E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerns.org:57870
                        Source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, 00000000.00000002.4629994767.000000000055E000.00000004.00000020.00020000.00000000.sdmp, logs.dat.0.drBinary or memory string: [Program Manager]
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00434CB6 cpuid 0_2_00434CB6
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_0045201B
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_004520B6
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452143
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: GetLocaleInfoW,0_2_00452393
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00448484
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004524BC
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004525C3
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00452690
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: GetLocaleInfoW,0_2_0044896D
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040F90C
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00451D58
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00451FD0
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00404F51 GetLocalTime,CreateEventA,CreateThread,0_2_00404F51
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_0041B69E GetComputerNameExW,GetUserNameW,0_2_0041B69E
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: 0_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00449210
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4630144728.000000000227F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2158852443.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4629994767.000000000055E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe PID: 4340, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Contains functionality to steal Chrome passwords or cookies
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040BA4D
                        Contains functionality to steal Firefox passwords or cookies
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040BB6B
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: \key3.db0_2_0040BB6B

                        Remote Access Functionality

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.2.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4630144728.000000000227F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2158852443.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4629994767.000000000055E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe PID: 4340, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Source: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeCode function: cmd.exe0_2_0040569A

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                        Native API                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		1
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		11
                        Ingress Tool Transfer                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts12
                        Command and Scripting Interpreter                        		1
                        Windows Service                        		1
                        Bypass User Account Control                        		2
                        Obfuscated Files or Information                        		211
                        Input Capture                        		1
                        Account Discovery                        		Remote Desktop Protocol211
                        Input Capture                        		2
                        Encrypted Channel                        		Exfiltration Over Bluetooth1
                        Defacement
                        Email AddressesDNS ServerDomain Accounts2
                        Service Execution                        		Logon Script (Windows)1
                        Access Token Manipulation                        		1
                        DLL Side-Loading                        		2
                        Credentials In Files                        		1
                        System Service Discovery                        		SMB/Windows Admin Shares3
                        Clipboard Data                        		1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                        Windows Service                        		1
                        Bypass User Account Control                        		NTDS2
                        File and Directory Discovery                        		Distributed Component Object ModelInput Capture1
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                        Process Injection                        		1
                        Virtualization/Sandbox Evasion                        		LSA Secrets23
                        System Information Discovery                        		SSHKeylogging21
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Access Token Manipulation                        		Cached Domain Credentials21
                        Security Software Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                        Process Injection                        		DCSync1
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
                        Process Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                        Application Window Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                        System Owner/User Discovery                        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe84%ReversingLabsWin32.Backdoor.Remcos
                        172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe78%VirustotalBrowse
                        172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                        172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://geoplugin.net/json.gp0%URL Reputationsafe
                        http://geoplugin.net/json.gp/C0%URL Reputationsafe
                        rfwr.duckdns.org100%Avira URL Cloudmalware

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        rfwr.duckdns.org
                        		45.135.232.38
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          rfwr.duckdns.orgtrue
                          • Avira URL Cloud: malware
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://geoplugin.net/json.gp172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exefalse
                          • URL Reputation: safe
                          		unknown
                          http://geoplugin.net/json.gp/C172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exefalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          45.135.232.38
                          		rfwr.duckdns.orgRussian Federation
                          		49392ASBAXETNRUtrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1515272
                          Start date and time:2024-09-22 06:58:08 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 32s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:4
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe
                          Detection:MAL
                          Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/1@5/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 31
                          • Number of non-executed functions: 217
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240s for sample files taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          00:59:38API Interceptor6397750x Sleep call for process: 172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          45.135.232.381726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                            decode_3c3a2e81bb9b9ea689c7c8d6aa9e24c0af55f3915e14295a64263688c83f4ab7.exeGet hashmaliciousRemcosBrowse
                              sostener.vbsGet hashmaliciousRemcosBrowse

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                ASBAXETNRU1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                • 45.135.232.38
                                SecuriteInfo.com.Linux.Siggen.9999.8861.1379.elfGet hashmaliciousMiraiBrowse
                                • 212.196.169.14
                                file.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                • 212.192.12.222
                                http://104.219.233.181/fwd/P2Q9MjU2Mjc5JmVpPTcyODUyMjcyJmlmPTUxNDQyJm5kcD03OTgzJnNpPTE3JmxpPTIyMzczGet hashmaliciousPhisherBrowse
                                • 45.147.195.6
                                decode_3c3a2e81bb9b9ea689c7c8d6aa9e24c0af55f3915e14295a64263688c83f4ab7.exeGet hashmaliciousRemcosBrowse
                                • 45.135.232.38
                                NwFP.exeGet hashmaliciousSmokeLoaderBrowse
                                • 45.142.44.233
                                sostener.vbsGet hashmaliciousRemcosBrowse
                                • 45.135.232.38
                                wAO7F8FbEz.elfGet hashmaliciousUnknownBrowse
                                • 212.196.181.198
                                http://0la4fyd6lwi0xam.rodconant.com/q3bCCwDV?sub1=tt&keyword=lmai@dllr.state.md.us&sub2=rochapan.com.brGet hashmaliciousUnknownBrowse
                                • 46.29.162.82
                                hidakibest.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 45.93.200.174

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\remcos\logs.dat

                                Download File
                                Process:C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):310
                                Entropy (8bit):3.390734542083538
                                Encrypted:false
                                SSDEEP:6:6lul55YcIeeDAlOWA7DxbN2fBMMm0wiDxbN2f1l5m0v:6lulhec0WItN25MMy4tN2X5l
                                MD5:2A388F82B881F282FA5F396D10BF5280
                                SHA1:2438DE6F2A28972BD6248B11B6733C69BC3404CA
                                SHA-256:2968B95428969EB4314F60FE8D4C5B90A12581B79EDD692C7D32E81747802441
                                SHA-512:BDB9A4CF01ACA8F0B98BF0DCB1B5FAE68A582FADE9AE9498E8B14F38E15321D9C0FEE239B0F092842B401A6B6978F07FC34B3015BF304296B8703A4F20E7A0CD
                                Malicious:true
                                Yara Hits:
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                Reputation:low
                                Preview:....[.2.0.2.4./.0.9./.2.2. .0.0.:.5.9.:.0.6. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .0. .m.i.n.u.t.e.s. .}.........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .3.0.7.4. .m.i.n.u.t.e.s. .}.....

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):6.601337314557298
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe
                                File size:494'592 bytes
                                MD5:77af19d8b1cbbd2762ba3eb3ef2bf9df
                                SHA1:a3894af5241f86d8094ccc3ec0326dce89c4e65b
                                SHA256:70fde5e9ea72ec208951adecf91801b752d72390a87d7defb288d67553a446a1
                                SHA512:e19da8d56259e80a783c35cc0fa4f9a77ae04ad0709a10f77231b3191e5882fbb4e2dcd76afb72d950ed523080e93291dacb34dded8067dbe4111304285c078f
                                SSDEEP:6144:5Tz+c6KHYBhDc1RGJdv//NkUn+N5Bkf/0TELRvIZPjbsAOZZmAX4crcT4:5TlrYw1RUh3NFn+N5WfIQIjbs/Zm7T4
                                TLSH:7BB49E01BAD2C072D57514300D3AF776EAB8BD201835497B73EA1D5BFE31190A72AAB7
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{.-H..~H..~H..~..'~[..~..%~...~..$~V..~AbR~I..~...~J..~.D..R..~.D..r..~.D..j..~AbE~Q..~H..~v..~.D..,..~.D)~I..~.D..I..~RichH..

                                File Icon

                                Icon Hash:95694d05214c1b33

                                Static PE Info

                                General

                                Entrypoint:0x434a80
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                Time Stamp:0x66D71DE3 [Tue Sep 3 14:32:03 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:5
                                OS Version Minor:1
                                File Version Major:5
                                File Version Minor:1
                                Subsystem Version Major:5
                                Subsystem Version Minor:1
                                Import Hash:1389569a3a39186f3eb453b501cfe688

                                Entrypoint Preview

                                Instruction
                                call 00007FC4248B204Bh
                                jmp 00007FC4248B1A93h
                                push ebp
                                mov ebp, esp
                                sub esp, 00000324h
                                push ebx
                                push esi
                                push 00000017h
                                call 00007FC4248D42E3h
                                test eax, eax
                                je 00007FC4248B1C07h
                                mov ecx, dword ptr [ebp+08h]
                                int 29h
                                xor esi, esi
                                lea eax, dword ptr [ebp-00000324h]
                                push 000002CCh
                                push esi
                                push eax
                                mov dword ptr [00471D14h], esi
                                call 00007FC4248B4056h
                                add esp, 0Ch
                                mov dword ptr [ebp-00000274h], eax
                                mov dword ptr [ebp-00000278h], ecx
                                mov dword ptr [ebp-0000027Ch], edx
                                mov dword ptr [ebp-00000280h], ebx
                                mov dword ptr [ebp-00000284h], esi
                                mov dword ptr [ebp-00000288h], edi
                                mov word ptr [ebp-0000025Ch], ss
                                mov word ptr [ebp-00000268h], cs
                                mov word ptr [ebp-0000028Ch], ds
                                mov word ptr [ebp-00000290h], es
                                mov word ptr [ebp-00000294h], fs
                                mov word ptr [ebp-00000298h], gs
                                pushfd
                                pop dword ptr [ebp-00000264h]
                                mov eax, dword ptr [ebp+04h]
                                mov dword ptr [ebp-0000026Ch], eax
                                lea eax, dword ptr [ebp+04h]
                                mov dword ptr [ebp-00000260h], eax
                                mov dword ptr [ebp-00000324h], 00010001h
                                mov eax, dword ptr [eax-04h]
                                push 00000050h
                                mov dword ptr [ebp-00000270h], eax
                                lea eax, dword ptr [ebp-58h]
                                push esi
                                push eax
                                call 00007FC4248B3FCDh

                                Rich Headers

                                Programming Language:
                                • [C++] VS2008 SP1 build 30729
                                • [IMP] VS2008 SP1 build 30729

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x6eeb80x104.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x790000x4ac0.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e0000x3bc8.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x6d3500x38.rdata
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x6d3e40x18.rdata
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6d3880x40.rdata
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x590000x500.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x571f50x57200e504ab64b98631753dc227346d757c52False0.5716379348995696data6.6273936921798455IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x590000x179dc0x17a002a24a2cbf738bf5f992a0162fad3d464False0.5008577215608465data5.862074061245876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x710000x5d440xe000eaccffe1cb836994ce5d3ccfb22d4f9False0.22126116071428573data3.0035180736120775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .tls0x770000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .gfids0x780000x2300x4009ca325bce9f8c0342c0381814603584aFalse0.330078125data2.3999762503719224IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .rsrc0x790000x4ac00x4c006cd0c053913b790048cbdeed7ab8f2d3False0.27631578947368424data3.979232399270872IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x7e0000x3bc80x3c00047d13d1dd0f82094cdf10f08253441eFalse0.7640625data6.723768218094163IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0x7918c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                RT_ICON0x795f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                RT_ICON0x79f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                RT_ICON0x7b0240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                RT_RCDATA0x7d5cc0x4b2data1.0091514143094842
                                RT_GROUP_ICON0x7da800x3edataEnglishUnited States0.8064516129032258

                                Imports

                                DLLImport
                                KERNEL32.dllFindNextFileA, ExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, UnmapViewOfFile, DuplicateHandle, CreateFileMappingW, MapViewOfFile, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, FindFirstFileA, FormatMessageA, FindNextVolumeW, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, GetFileSize, TerminateThread, GetLastError, CreateDirectoryW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, CreateMutexA, GetCurrentProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, SetConsoleOutputCP, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
                                USER32.dllGetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, DispatchMessageA, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CloseWindow, SendInput, EnumDisplaySettingsW, mouse_event, CreatePopupMenu, TranslateMessage, TrackPopupMenu, DefWindowProcA, CreateWindowExA, AppendMenuA, GetSystemMetrics, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetWindowThreadProcessId, MapVirtualKeyA, DrawIcon, GetIconInfo
                                GDI32.dllBitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteObject, CreateDCA, GetObjectA, DeleteDC
                                ADVAPI32.dllCryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
                                SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                ole32.dllCoInitializeEx, CoUninitialize, CoGetObject
                                SHLWAPI.dllPathFileExistsW, PathFileExistsA, StrToIntA
                                WINMM.dllwaveInOpen, waveInStart, waveInAddBuffer, PlaySoundW, mciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInPrepareHeader, waveInUnprepareHeader
                                WS2_32.dllgethostbyname, send, WSAStartup, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, WSAGetLastError, recv, connect, socket
                                urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                gdiplus.dllGdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipAlloc, GdipCloneImage, GdipGetImageEncoders, GdiplusStartup, GdipLoadImageFromStream
                                WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-09-22T06:59:09.509339+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64971145.135.232.3857870TCP
                                2024-09-22T06:59:12.324458+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64971245.135.232.3857870TCP
                                2024-09-22T06:59:15.088957+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64971345.135.232.3857870TCP
                                2024-09-22T06:59:17.873873+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64971545.135.232.3857870TCP
                                2024-09-22T06:59:20.649442+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64971645.135.232.3857870TCP
                                2024-09-22T06:59:23.395559+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64971745.135.232.3857870TCP
                                2024-09-22T06:59:26.145088+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64972145.135.232.3857870TCP
                                2024-09-22T06:59:28.897541+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64972345.135.232.3857870TCP
                                2024-09-22T06:59:31.663859+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64972445.135.232.3857870TCP
                                2024-09-22T06:59:34.433409+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64972545.135.232.3857870TCP
                                2024-09-22T06:59:37.197603+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64972645.135.232.3857870TCP
                                2024-09-22T06:59:39.944401+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64972745.135.232.3857870TCP
                                2024-09-22T06:59:42.730131+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64972845.135.232.3857870TCP
                                2024-09-22T06:59:45.489837+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64972945.135.232.3857870TCP
                                2024-09-22T06:59:48.463087+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64973145.135.232.3857870TCP
                                2024-09-22T06:59:51.227278+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64973245.135.232.3857870TCP
                                2024-09-22T06:59:54.292844+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64973345.135.232.3857870TCP
                                2024-09-22T06:59:57.074322+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64973445.135.232.3857870TCP
                                2024-09-22T06:59:59.849373+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64973545.135.232.3857870TCP
                                2024-09-22T07:00:03.353856+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64973745.135.232.3857870TCP
                                2024-09-22T07:00:06.131831+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64973845.135.232.3857870TCP
                                2024-09-22T07:00:08.948867+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64973945.135.232.3857870TCP
                                2024-09-22T07:00:12.604913+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64974145.135.232.3857870TCP
                                2024-09-22T07:00:15.382969+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64974245.135.232.3857870TCP
                                2024-09-22T07:00:18.198061+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64974345.135.232.3857870TCP
                                2024-09-22T07:00:21.321613+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64974445.135.232.3857870TCP
                                2024-09-22T07:00:24.263967+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64974545.135.232.3857870TCP
                                2024-09-22T07:00:27.152347+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64974645.135.232.3857870TCP
                                2024-09-22T07:00:30.705945+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64974745.135.232.3857870TCP
                                2024-09-22T07:00:33.445641+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64974845.135.232.3857870TCP
                                2024-09-22T07:00:36.615660+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64974945.135.232.3857870TCP
                                2024-09-22T07:00:40.227071+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64975045.135.232.3857870TCP
                                2024-09-22T07:00:43.456572+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64975245.135.232.3857870TCP
                                2024-09-22T07:00:46.228250+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64975345.135.232.3857870TCP
                                2024-09-22T07:00:48.948963+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64975445.135.232.3857870TCP
                                2024-09-22T07:00:51.717426+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64975545.135.232.3857870TCP
                                2024-09-22T07:00:54.371885+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64975645.135.232.3857870TCP
                                2024-09-22T07:00:57.985617+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64975745.135.232.3857870TCP
                                2024-09-22T07:01:00.629284+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64975845.135.232.3857870TCP
                                2024-09-22T07:01:03.292013+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64975945.135.232.3857870TCP
                                2024-09-22T07:01:05.897146+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64976045.135.232.3857870TCP
                                2024-09-22T07:01:08.448576+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64976145.135.232.3857870TCP
                                2024-09-22T07:01:11.012143+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64976245.135.232.3857870TCP
                                2024-09-22T07:01:13.653414+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64976345.135.232.3857870TCP
                                2024-09-22T07:01:16.106592+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64976445.135.232.3857870TCP
                                2024-09-22T07:01:18.593012+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64976545.135.232.3857870TCP
                                2024-09-22T07:01:20.980274+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64976645.135.232.3857870TCP
                                2024-09-22T07:01:23.320106+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64976845.135.232.3857870TCP
                                2024-09-22T07:01:25.712219+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64976945.135.232.3857870TCP
                                2024-09-22T07:01:28.075708+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64977045.135.232.3857870TCP
                                2024-09-22T07:01:30.390101+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64977145.135.232.3857870TCP
                                2024-09-22T07:01:32.663479+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64977245.135.232.3857870TCP
                                2024-09-22T07:01:34.914133+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64977345.135.232.3857870TCP
                                2024-09-22T07:01:37.170958+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64977445.135.232.3857870TCP
                                2024-09-22T07:01:39.399535+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64977545.135.232.3857870TCP
                                2024-09-22T07:01:41.639788+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64977645.135.232.3857870TCP
                                2024-09-22T07:01:43.853528+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64977745.135.232.3857870TCP
                                2024-09-22T07:01:46.045606+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64977845.135.232.3857870TCP
                                2024-09-22T07:01:48.231091+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64977945.135.232.3857870TCP
                                2024-09-22T07:01:50.385558+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64978045.135.232.3857870TCP
                                2024-09-22T07:01:52.541586+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64978145.135.232.3857870TCP
                                2024-09-22T07:01:54.685570+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64978245.135.232.3857870TCP
                                2024-09-22T07:01:56.799430+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64978345.135.232.3857870TCP
                                2024-09-22T07:01:58.900384+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64978445.135.232.3857870TCP
                                2024-09-22T07:02:01.045620+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64978545.135.232.3857870TCP
                                2024-09-22T07:02:03.191764+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64978645.135.232.3857870TCP
                                2024-09-22T07:02:05.416385+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64978745.135.232.3857870TCP
                                2024-09-22T07:02:08.275837+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64978845.135.232.3857870TCP
                                2024-09-22T07:02:10.371779+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64978945.135.232.3857870TCP
                                2024-09-22T07:02:12.417597+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64979045.135.232.3857870TCP
                                2024-09-22T07:02:14.609576+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64979145.135.232.3857870TCP
                                2024-09-22T07:02:16.697554+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64979245.135.232.3857870TCP
                                2024-09-22T07:02:18.766746+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64979345.135.232.3857870TCP
                                2024-09-22T07:02:20.793640+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64979445.135.232.3857870TCP
                                2024-09-22T07:02:22.793666+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64979545.135.232.3857870TCP
                                2024-09-22T07:02:24.797528+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64979645.135.232.3857870TCP
                                2024-09-22T07:02:26.793556+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64979745.135.232.3857870TCP
                                2024-09-22T07:02:28.813401+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64979845.135.232.3857870TCP
                                2024-09-22T07:02:30.775691+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64979945.135.232.3857870TCP
                                2024-09-22T07:02:32.752169+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64980045.135.232.3857870TCP
                                2024-09-22T07:02:34.715224+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64980145.135.232.3857870TCP
                                2024-09-22T07:02:36.682098+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64980245.135.232.3857870TCP
                                2024-09-22T07:02:38.644458+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64980345.135.232.3857870TCP
                                2024-09-22T07:02:40.601792+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64980445.135.232.3857870TCP
                                2024-09-22T07:02:42.545587+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64980545.135.232.3857870TCP
                                2024-09-22T07:02:44.545963+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64980645.135.232.3857870TCP
                                2024-09-22T07:02:46.446047+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64980745.135.232.3857870TCP
                                2024-09-22T07:02:48.374103+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64980845.135.232.3857870TCP
                                2024-09-22T07:02:50.300609+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64980945.135.232.3857870TCP
                                2024-09-22T07:02:52.211501+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64981145.135.232.3857870TCP
                                2024-09-22T07:02:54.155294+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64981245.135.232.3857870TCP
                                2024-09-22T07:02:56.059662+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64981345.135.232.3857870TCP
                                2024-09-22T07:02:57.961526+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64981445.135.232.3857870TCP
                                2024-09-22T07:02:59.851929+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64981545.135.232.3857870TCP
                                2024-09-22T07:03:01.852610+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64981645.135.232.3857870TCP
                                2024-09-22T07:03:03.733062+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64981745.135.232.3857870TCP
                                2024-09-22T07:03:05.608546+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64981845.135.232.3857870TCP
                                2024-09-22T07:03:07.597547+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64981945.135.232.3857870TCP
                                2024-09-22T07:03:09.473630+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64982045.135.232.3857870TCP
                                2024-09-22T07:03:11.487558+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64982145.135.232.3857870TCP
                                2024-09-22T07:03:13.413002+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64982245.135.232.3857870TCP
                                2024-09-22T07:03:15.423340+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.64982345.135.232.3857870TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Sep 22, 2024 06:59:07.733150959 CEST4971157870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:07.738008976 CEST578704971145.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:07.738106012 CEST4971157870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:07.747355938 CEST4971157870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:07.752088070 CEST578704971145.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:09.509146929 CEST578704971145.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:09.509339094 CEST4971157870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:09.509423971 CEST4971157870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:09.514183998 CEST578704971145.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:10.521073103 CEST4971257870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:10.526072979 CEST578704971245.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:10.526185036 CEST4971257870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:10.529679060 CEST4971257870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:10.534462929 CEST578704971245.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:12.324352980 CEST578704971245.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:12.324457884 CEST4971257870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:12.324496984 CEST4971257870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:12.329314947 CEST578704971245.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:13.333614111 CEST4971357870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:13.338514090 CEST578704971345.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:13.338638067 CEST4971357870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:13.343477011 CEST4971357870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:13.348356962 CEST578704971345.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:15.088905096 CEST578704971345.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:15.088957071 CEST4971357870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:15.089024067 CEST4971357870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:15.093921900 CEST578704971345.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:16.099404097 CEST4971557870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:16.104372978 CEST578704971545.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:16.104485989 CEST4971557870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:16.109247923 CEST4971557870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:16.114020109 CEST578704971545.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:17.873716116 CEST578704971545.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:17.873872995 CEST4971557870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:17.877216101 CEST4971557870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:17.882143021 CEST578704971545.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:18.880979061 CEST4971657870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:18.885957956 CEST578704971645.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:18.886063099 CEST4971657870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:18.888995886 CEST4971657870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:18.894016981 CEST578704971645.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:20.649297953 CEST578704971645.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:20.649441957 CEST4971657870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:20.649597883 CEST4971657870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:20.655169964 CEST578704971645.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:21.661864042 CEST4971757870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:21.666718006 CEST578704971745.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:21.666806936 CEST4971757870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:21.669658899 CEST4971757870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:21.674427032 CEST578704971745.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:23.395416975 CEST578704971745.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:23.395559072 CEST4971757870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:23.395559072 CEST4971757870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:23.400368929 CEST578704971745.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:24.411974907 CEST4972157870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:24.416935921 CEST578704972145.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:24.419800043 CEST4972157870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:24.423290968 CEST4972157870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:24.428139925 CEST578704972145.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:26.144974947 CEST578704972145.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:26.145087957 CEST4972157870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:26.145287037 CEST4972157870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:26.150006056 CEST578704972145.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:27.161607027 CEST4972357870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:27.166528940 CEST578704972345.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:27.166625023 CEST4972357870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:27.169492006 CEST4972357870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:27.174264908 CEST578704972345.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:28.897447109 CEST578704972345.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:28.897541046 CEST4972357870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:28.897636890 CEST4972357870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:28.902462006 CEST578704972345.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:29.911820889 CEST4972457870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:29.916886091 CEST578704972445.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:29.916963100 CEST4972457870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:29.920233965 CEST4972457870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:29.925007105 CEST578704972445.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:31.663757086 CEST578704972445.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:31.663858891 CEST4972457870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:31.663933039 CEST4972457870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:31.668778896 CEST578704972445.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:32.677102089 CEST4972557870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:32.682188034 CEST578704972545.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:32.682277918 CEST4972557870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:32.685461998 CEST4972557870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:32.690356016 CEST578704972545.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:34.433291912 CEST578704972545.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:34.433408976 CEST4972557870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:34.433495045 CEST4972557870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:34.438462973 CEST578704972545.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:35.442812920 CEST4972657870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:35.447957993 CEST578704972645.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:35.448067904 CEST4972657870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:35.451482058 CEST4972657870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:35.456372023 CEST578704972645.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:37.197494030 CEST578704972645.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:37.197602987 CEST4972657870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:37.197688103 CEST4972657870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:37.202619076 CEST578704972645.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:38.208648920 CEST4972757870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:38.214569092 CEST578704972745.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:38.214716911 CEST4972757870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:38.219626904 CEST4972757870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:38.224555016 CEST578704972745.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:39.944262981 CEST578704972745.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:39.944401026 CEST4972757870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:39.950615883 CEST4972757870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:39.956533909 CEST578704972745.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:40.958436012 CEST4972857870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:40.963356018 CEST578704972845.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:40.963470936 CEST4972857870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:40.966381073 CEST4972857870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:40.971247911 CEST578704972845.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:42.730025053 CEST578704972845.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:42.730130911 CEST4972857870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:42.730199099 CEST4972857870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:42.735043049 CEST578704972845.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:43.746752024 CEST4972957870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:43.751770020 CEST578704972945.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:43.751854897 CEST4972957870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:43.755980015 CEST4972957870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:43.760854006 CEST578704972945.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:45.489727020 CEST578704972945.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:45.489836931 CEST4972957870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:45.489882946 CEST4972957870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:45.494785070 CEST578704972945.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:46.527139902 CEST4973157870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:46.532159090 CEST578704973145.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:46.532241106 CEST4973157870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:46.583944082 CEST4973157870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:46.588730097 CEST578704973145.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:48.462982893 CEST578704973145.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:48.463087082 CEST4973157870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:48.463170052 CEST4973157870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:48.468071938 CEST578704973145.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:49.474208117 CEST4973257870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:49.479614019 CEST578704973245.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:49.479712963 CEST4973257870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:49.484931946 CEST4973257870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:49.490427017 CEST578704973245.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:51.227164030 CEST578704973245.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:51.227277994 CEST4973257870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:51.227406979 CEST4973257870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:51.232374907 CEST578704973245.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:52.239970922 CEST4973357870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:52.500947952 CEST578704973345.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:52.501060009 CEST4973357870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:52.505500078 CEST4973357870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:52.526628971 CEST578704973345.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:54.292634964 CEST578704973345.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:54.292844057 CEST4973357870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:54.292845011 CEST4973357870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:54.298233032 CEST578704973345.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:55.302525043 CEST4973457870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:55.308283091 CEST578704973445.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:55.308408976 CEST4973457870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:55.313342094 CEST4973457870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:55.318758011 CEST578704973445.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:57.074088097 CEST578704973445.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:57.074321985 CEST4973457870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:57.074321985 CEST4973457870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:57.079430103 CEST578704973445.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:58.084105015 CEST4973557870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:58.090269089 CEST578704973545.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:58.090369940 CEST4973557870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:58.095293999 CEST4973557870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:58.104037046 CEST578704973545.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:59.849261045 CEST578704973545.135.232.38192.168.2.6
                                Sep 22, 2024 06:59:59.849373102 CEST4973557870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:59.849422932 CEST4973557870192.168.2.645.135.232.38
                                Sep 22, 2024 06:59:59.854640961 CEST578704973545.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:00.866337061 CEST4973757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:00.884680033 CEST578704973745.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:00.884898901 CEST4973757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:00.891782045 CEST4973757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:00.916817904 CEST578704973745.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:03.353692055 CEST578704973745.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:03.353748083 CEST578704973745.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:03.353777885 CEST578704973745.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:03.353856087 CEST4973757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:03.353929996 CEST4973757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:03.353940964 CEST4973757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:03.354171991 CEST4973757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:03.359441996 CEST578704973745.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:04.365122080 CEST4973857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:04.371085882 CEST578704973845.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:04.371206045 CEST4973857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:04.375998974 CEST4973857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:04.386946917 CEST578704973845.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:06.131711960 CEST578704973845.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:06.131830931 CEST4973857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:06.131870031 CEST4973857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:06.136943102 CEST578704973845.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:07.146178961 CEST4973957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:07.157435894 CEST578704973945.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:07.157538891 CEST4973957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:07.162615061 CEST4973957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:07.185914993 CEST578704973945.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:08.948584080 CEST578704973945.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:08.948867083 CEST4973957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:08.948867083 CEST4973957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:08.954535007 CEST578704973945.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:10.841118097 CEST4974157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:10.850627899 CEST578704974145.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:10.850840092 CEST4974157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:10.855078936 CEST4974157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:10.866281986 CEST578704974145.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:12.604811907 CEST578704974145.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:12.604912996 CEST4974157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:12.604965925 CEST4974157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:12.610284090 CEST578704974145.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:13.632860899 CEST4974257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:13.638012886 CEST578704974245.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:13.638106108 CEST4974257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:13.647839069 CEST4974257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:13.652950048 CEST578704974245.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:15.382879019 CEST578704974245.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:15.382968903 CEST4974257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:15.383006096 CEST4974257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:15.388097048 CEST578704974245.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:16.442842007 CEST4974357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:16.447962046 CEST578704974345.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:16.451942921 CEST4974357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:16.511672020 CEST4974357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:16.517043114 CEST578704974345.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:18.197988033 CEST578704974345.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:18.198060989 CEST4974357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:18.198199034 CEST4974357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:18.203358889 CEST578704974345.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:19.215962887 CEST4974457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:19.220880032 CEST578704974445.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:19.223748922 CEST4974457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:19.316751957 CEST4974457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:19.321733952 CEST578704974445.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:21.321445942 CEST578704974445.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:21.321613073 CEST578704974445.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:21.321613073 CEST4974457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:21.321692944 CEST4974457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:21.321767092 CEST4974457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:21.326797962 CEST578704974445.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:22.366564989 CEST4974557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:22.371596098 CEST578704974545.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:22.371686935 CEST4974557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:22.374990940 CEST4974557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:22.379811049 CEST578704974545.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:24.259660006 CEST578704974545.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:24.263967037 CEST4974557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:24.264008999 CEST4974557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:24.269073009 CEST578704974545.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:25.278687954 CEST4974657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:25.397468090 CEST578704974645.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:25.399689913 CEST4974657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:25.402879000 CEST4974657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:25.408310890 CEST578704974645.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:27.148616076 CEST578704974645.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:27.152347088 CEST4974657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:27.152379990 CEST4974657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:27.157332897 CEST578704974645.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:28.161576986 CEST4974757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:28.166640043 CEST578704974745.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:28.168028116 CEST4974757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:28.171188116 CEST4974757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:28.175993919 CEST578704974745.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:30.705737114 CEST578704974745.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:30.705821037 CEST578704974745.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:30.705913067 CEST578704974745.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:30.705945015 CEST4974757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:30.706028938 CEST4974757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:30.706028938 CEST4974757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:30.711005926 CEST578704974745.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:31.708314896 CEST4974857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:31.714457035 CEST578704974845.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:31.714534044 CEST4974857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:31.718214035 CEST4974857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:31.723366976 CEST578704974845.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:33.444272041 CEST578704974845.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:33.445641041 CEST4974857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:33.445688963 CEST4974857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:33.450851917 CEST578704974845.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:34.458411932 CEST4974957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:34.878211021 CEST578704974945.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:34.878298044 CEST4974957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:34.881886959 CEST4974957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:34.886760950 CEST578704974945.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:36.615539074 CEST578704974945.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:36.615659952 CEST4974957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:36.615726948 CEST4974957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:36.621071100 CEST578704974945.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:37.641877890 CEST4975057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:38.483480930 CEST578704975045.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:38.483828068 CEST4975057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:38.487000942 CEST4975057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:38.492165089 CEST578704975045.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:40.226975918 CEST578704975045.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:40.227071047 CEST4975057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:40.227133989 CEST4975057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:40.232001066 CEST578704975045.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:41.239751101 CEST4975257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:41.244738102 CEST578704975245.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:41.244813919 CEST4975257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:41.247556925 CEST4975257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:41.252464056 CEST578704975245.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:43.456459045 CEST578704975245.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:43.456562996 CEST578704975245.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:43.456572056 CEST4975257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:43.456595898 CEST578704975245.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:43.456599951 CEST4975257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:43.456643105 CEST4975257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:43.456643105 CEST4975257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:43.461405039 CEST578704975245.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:44.426959991 CEST4975357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:44.433763981 CEST578704975345.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:44.433873892 CEST4975357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:44.436692953 CEST4975357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:44.444792032 CEST578704975345.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:46.228091955 CEST578704975345.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:46.228250027 CEST4975357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:46.228283882 CEST4975357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:46.233623981 CEST578704975345.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:47.179800034 CEST4975457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:47.184987068 CEST578704975445.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:47.185197115 CEST4975457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:47.192260027 CEST4975457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:47.197400093 CEST578704975445.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:48.947216034 CEST578704975445.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:48.948962927 CEST4975457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:48.958043098 CEST4975457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:48.963079929 CEST578704975445.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:49.942771912 CEST4975557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:49.948229074 CEST578704975545.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:49.951821089 CEST4975557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:49.955054045 CEST4975557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:49.960614920 CEST578704975545.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:51.716947079 CEST578704975545.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:51.717426062 CEST4975557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:51.717463017 CEST4975557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:51.722542048 CEST578704975545.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:52.598875046 CEST4975657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:52.604274035 CEST578704975645.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:52.608156919 CEST4975657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:52.611439943 CEST4975657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:52.616507053 CEST578704975645.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:54.369838953 CEST578704975645.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:54.371885061 CEST4975657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:54.371885061 CEST4975657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:54.376977921 CEST578704975645.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:55.223942041 CEST4975757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:56.239453077 CEST578704975745.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:56.239942074 CEST4975757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:56.243083954 CEST4975757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:56.247899055 CEST578704975745.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:57.984666109 CEST578704975745.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:57.985616922 CEST4975757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:57.985618114 CEST4975757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:57.990999937 CEST578704975745.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:58.817770004 CEST4975857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:58.831665039 CEST578704975845.135.232.38192.168.2.6
                                Sep 22, 2024 07:00:58.831760883 CEST4975857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:58.835844040 CEST4975857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:00:58.848994017 CEST578704975845.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:00.626142025 CEST578704975845.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:00.629283905 CEST4975857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:00.631829977 CEST4975857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:00.637382984 CEST578704975845.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:01.426979065 CEST4975957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:01.453594923 CEST578704975945.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:01.456427097 CEST4975957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:01.459741116 CEST4975957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:01.478849888 CEST578704975945.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:03.289227009 CEST578704975945.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:03.292012930 CEST4975957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:03.292089939 CEST4975957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:03.341170073 CEST578704975945.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:04.067734003 CEST4976057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:04.086747885 CEST578704976045.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:04.086847067 CEST4976057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:04.090172052 CEST4976057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:04.122791052 CEST578704976045.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:05.895909071 CEST578704976045.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:05.897145987 CEST4976057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:05.898705006 CEST4976057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:05.915457010 CEST578704976045.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:06.645613909 CEST4976157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:06.653764963 CEST578704976145.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:06.656316042 CEST4976157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:06.659447908 CEST4976157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:06.668193102 CEST578704976145.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:08.447748899 CEST578704976145.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:08.448575974 CEST4976157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:08.448698997 CEST4976157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:08.455593109 CEST578704976145.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:09.190177917 CEST4976257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:09.203671932 CEST578704976245.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:09.203767061 CEST4976257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:09.244584084 CEST4976257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:09.256969929 CEST578704976245.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:11.011300087 CEST578704976245.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:11.012142897 CEST4976257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:11.012345076 CEST4976257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:11.018862963 CEST578704976245.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:11.841101885 CEST4976357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:11.857069016 CEST578704976345.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:11.857151031 CEST4976357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:11.860296965 CEST4976357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:11.870763063 CEST578704976345.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:13.653337002 CEST578704976345.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:13.653414011 CEST4976357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:13.653467894 CEST4976357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:13.660171032 CEST578704976345.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:14.333712101 CEST4976457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:14.338754892 CEST578704976445.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:14.338912010 CEST4976457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:14.341691971 CEST4976457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:14.346698046 CEST578704976445.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:16.106482029 CEST578704976445.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:16.106591940 CEST4976457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:16.106973886 CEST4976457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:16.112824917 CEST578704976445.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:16.755909920 CEST4976557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:16.781111002 CEST578704976545.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:16.781188965 CEST4976557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:16.784470081 CEST4976557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:16.801187038 CEST578704976545.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:18.592679977 CEST578704976545.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:18.593012094 CEST4976557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:18.593012094 CEST4976557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:18.598202944 CEST578704976545.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:19.223926067 CEST4976657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:19.228941917 CEST578704976645.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:19.229037046 CEST4976657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:19.232249975 CEST4976657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:19.237121105 CEST578704976645.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:20.980194092 CEST578704976645.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:20.980273962 CEST4976657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:20.980731964 CEST4976657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:20.985613108 CEST578704976645.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:21.583365917 CEST4976857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:21.588679075 CEST578704976845.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:21.588774920 CEST4976857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:21.591969967 CEST4976857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:21.596837044 CEST578704976845.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:23.320002079 CEST578704976845.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:23.320106030 CEST4976857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:23.361963987 CEST4976857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:23.367240906 CEST578704976845.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:23.959086895 CEST4976957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:23.964195013 CEST578704976945.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:23.964293957 CEST4976957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:23.967463970 CEST4976957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:23.972397089 CEST578704976945.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:25.712140083 CEST578704976945.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:25.712219000 CEST4976957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:25.712304115 CEST4976957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:25.717086077 CEST578704976945.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:26.299084902 CEST4977057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:26.304111958 CEST578704977045.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:26.309565067 CEST4977057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:26.357419968 CEST4977057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:26.362236023 CEST578704977045.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:28.075613022 CEST578704977045.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:28.075707912 CEST4977057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:28.075814962 CEST4977057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:28.080858946 CEST578704977045.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:28.630250931 CEST4977157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:28.635272980 CEST578704977145.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:28.635346889 CEST4977157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:28.638518095 CEST4977157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:28.643368006 CEST578704977145.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:30.389965057 CEST578704977145.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:30.390100956 CEST4977157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:30.390229940 CEST4977157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:30.394970894 CEST578704977145.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:30.927948952 CEST4977257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:30.933197021 CEST578704977245.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:30.933320045 CEST4977257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:30.938154936 CEST4977257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:30.943041086 CEST578704977245.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:32.663254023 CEST578704977245.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:32.663479090 CEST4977257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:32.663667917 CEST4977257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:32.668484926 CEST578704977245.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:33.177182913 CEST4977357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:33.182127953 CEST578704977345.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:33.182226896 CEST4977357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:33.188174963 CEST4977357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:33.193022966 CEST578704977345.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:34.914045095 CEST578704977345.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:34.914133072 CEST4977357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:34.914170980 CEST4977357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:34.919003963 CEST578704977345.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:35.411273003 CEST4977457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:35.416320086 CEST578704977445.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:35.416399956 CEST4977457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:35.419933081 CEST4977457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:35.424786091 CEST578704977445.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:37.170902014 CEST578704977445.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:37.170958042 CEST4977457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:37.171005011 CEST4977457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:37.175918102 CEST578704977445.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:37.661449909 CEST4977557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:37.666456938 CEST578704977545.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:37.666549921 CEST4977557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:37.669372082 CEST4977557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:37.674218893 CEST578704977545.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:39.399429083 CEST578704977545.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:39.399534941 CEST4977557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:39.399648905 CEST4977557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:39.404405117 CEST578704977545.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:39.864840984 CEST4977657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:39.869858980 CEST578704977645.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:39.869931936 CEST4977657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:39.874898911 CEST4977657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:39.879738092 CEST578704977645.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:41.639703989 CEST578704977645.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:41.639787912 CEST4977657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:41.639849901 CEST4977657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:41.644747019 CEST578704977645.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:42.098807096 CEST4977757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:42.103902102 CEST578704977745.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:42.104553938 CEST4977757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:42.107749939 CEST4977757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:42.112617970 CEST578704977745.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:43.853193998 CEST578704977745.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:43.853528023 CEST4977757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:43.853564978 CEST4977757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:43.858516932 CEST578704977745.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:44.286269903 CEST4977857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:44.291465044 CEST578704977845.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:44.291568995 CEST4977857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:44.294348955 CEST4977857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:44.299206018 CEST578704977845.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:46.044315100 CEST578704977845.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:46.045605898 CEST4977857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:46.045780897 CEST4977857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:46.050610065 CEST578704977845.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:46.474050999 CEST4977957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:46.479127884 CEST578704977945.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:46.479228973 CEST4977957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:46.483295918 CEST4977957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:46.488096952 CEST578704977945.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:48.230967045 CEST578704977945.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:48.231091022 CEST4977957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:48.231237888 CEST4977957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:48.236373901 CEST578704977945.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:48.645889044 CEST4978057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:48.651088953 CEST578704978045.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:48.651179075 CEST4978057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:48.654556036 CEST4978057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:48.659362078 CEST578704978045.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:50.384496927 CEST578704978045.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:50.385557890 CEST4978057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:50.385755062 CEST4978057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:50.390573025 CEST578704978045.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:50.786204100 CEST4978157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:50.791229963 CEST578704978145.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:50.792615891 CEST4978157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:50.795958996 CEST4978157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:50.800853014 CEST578704978145.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:52.541506052 CEST578704978145.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:52.541585922 CEST4978157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:52.541676044 CEST4978157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:52.550237894 CEST578704978145.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:52.928186893 CEST4978257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:52.937891006 CEST578704978245.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:52.938062906 CEST4978257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:52.945424080 CEST4978257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:52.950284004 CEST578704978245.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:54.683254957 CEST578704978245.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:54.685570002 CEST4978257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:54.685734034 CEST4978257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:54.690587997 CEST578704978245.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:55.052349091 CEST4978357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:55.057399035 CEST578704978345.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:55.057487965 CEST4978357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:55.062256098 CEST4978357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:55.067279100 CEST578704978345.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:56.799263954 CEST578704978345.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:56.799429893 CEST4978357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:56.799518108 CEST4978357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:56.804425955 CEST578704978345.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:57.161564112 CEST4978457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:57.166541100 CEST578704978445.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:57.166654110 CEST4978457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:57.170093060 CEST4978457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:57.175103903 CEST578704978445.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:58.900271893 CEST578704978445.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:58.900383949 CEST4978457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:58.900439978 CEST4978457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:58.905453920 CEST578704978445.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:59.277841091 CEST4978557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:59.283165932 CEST578704978545.135.232.38192.168.2.6
                                Sep 22, 2024 07:01:59.283268929 CEST4978557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:59.339248896 CEST4978557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:01:59.344547987 CEST578704978545.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:01.045269966 CEST578704978545.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:01.045619965 CEST4978557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:01.045770884 CEST4978557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:01.050543070 CEST578704978545.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:01.380405903 CEST4978657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:01.385431051 CEST578704978645.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:01.387582064 CEST4978657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:01.392301083 CEST4978657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:01.397195101 CEST578704978645.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:03.191577911 CEST578704978645.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:03.191764116 CEST4978657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:03.191857100 CEST4978657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:03.197134018 CEST578704978645.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:03.521238089 CEST4978757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:03.668531895 CEST578704978745.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:03.668683052 CEST4978757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:03.673346043 CEST4978757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:03.678385019 CEST578704978745.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:05.413100004 CEST578704978745.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:05.416384935 CEST4978757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:05.416449070 CEST4978757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:05.421816111 CEST578704978745.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:05.729760885 CEST4978857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:05.745207071 CEST578704978845.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:05.747769117 CEST4978857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:05.754916906 CEST4978857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:05.761951923 CEST578704978845.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:08.275252104 CEST578704978845.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:08.275732040 CEST578704978845.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:08.275765896 CEST578704978845.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:08.275836945 CEST4978857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:08.275935888 CEST4978857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:08.275935888 CEST4978857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:08.281455994 CEST578704978845.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:08.583178043 CEST4978957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:08.596446991 CEST578704978945.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:08.599746943 CEST4978957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:08.603452921 CEST4978957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:08.608814955 CEST578704978945.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:10.371681929 CEST578704978945.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:10.371778965 CEST4978957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:10.371819973 CEST4978957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:10.377119064 CEST578704978945.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:10.661490917 CEST4979057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:10.666840076 CEST578704979045.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:10.669542074 CEST4979057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:10.672952890 CEST4979057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:10.679105997 CEST578704979045.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:12.415174007 CEST578704979045.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:12.417597055 CEST4979057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:12.426328897 CEST4979057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:12.435528994 CEST578704979045.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:12.849323034 CEST4979157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:12.855123043 CEST578704979145.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:12.855253935 CEST4979157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:12.859823942 CEST4979157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:12.869066954 CEST578704979145.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:14.606092930 CEST578704979145.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:14.609575987 CEST4979157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:14.609659910 CEST4979157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:14.614821911 CEST578704979145.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:14.879894018 CEST4979257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:14.899826050 CEST578704979245.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:14.901552916 CEST4979257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:14.904380083 CEST4979257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:14.926090002 CEST578704979245.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:16.696780920 CEST578704979245.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:16.697554111 CEST4979257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:16.697679996 CEST4979257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:16.711973906 CEST578704979245.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:16.958574057 CEST4979357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:16.971545935 CEST578704979345.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:16.972903013 CEST4979357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:16.976110935 CEST4979357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:17.002999067 CEST578704979345.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:18.766654015 CEST578704979345.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:18.766746044 CEST4979357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:18.766825914 CEST4979357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:18.771795988 CEST578704979345.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:19.020855904 CEST4979457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:19.029217958 CEST578704979445.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:19.032089949 CEST4979457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:19.034902096 CEST4979457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:19.039833069 CEST578704979445.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:20.789514065 CEST578704979445.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:20.793639898 CEST4979457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:20.793639898 CEST4979457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:20.802906990 CEST578704979445.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:21.036401033 CEST4979557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:21.041608095 CEST578704979545.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:21.045556068 CEST4979557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:21.048297882 CEST4979557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:21.053241014 CEST578704979545.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:22.792958975 CEST578704979545.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:22.793665886 CEST4979557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:22.793665886 CEST4979557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:22.801265955 CEST578704979545.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:23.036313057 CEST4979657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:23.041508913 CEST578704979645.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:23.041687965 CEST4979657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:23.045001984 CEST4979657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:23.049938917 CEST578704979645.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:24.793742895 CEST578704979645.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:24.797528028 CEST4979657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:24.797581911 CEST4979657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:24.808449984 CEST578704979645.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:25.043230057 CEST4979757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:25.048891068 CEST578704979745.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:25.049542904 CEST4979757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:25.052608013 CEST4979757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:25.061188936 CEST578704979745.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:26.791866064 CEST578704979745.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:26.793555975 CEST4979757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:26.793606043 CEST4979757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:26.799521923 CEST578704979745.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:27.020791054 CEST4979857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:27.025989056 CEST578704979845.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:27.026072025 CEST4979857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:27.029160976 CEST4979857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:27.033993006 CEST578704979845.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:28.813318968 CEST578704979845.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:28.813400984 CEST4979857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:28.813477993 CEST4979857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:28.818355083 CEST578704979845.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:29.036741018 CEST4979957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:29.041775942 CEST578704979945.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:29.041857004 CEST4979957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:29.046430111 CEST4979957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:29.051254034 CEST578704979945.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:30.775563002 CEST578704979945.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:30.775691032 CEST4979957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:30.775767088 CEST4979957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:30.783438921 CEST578704979945.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:30.989877939 CEST4980057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:30.995145082 CEST578704980045.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:30.995346069 CEST4980057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:30.999075890 CEST4980057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:31.004595995 CEST578704980045.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:32.747895956 CEST578704980045.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:32.752168894 CEST4980057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:32.752170086 CEST4980057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:32.757106066 CEST578704980045.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:32.958337069 CEST4980157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:32.964411974 CEST578704980145.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:32.967561960 CEST4980157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:32.971009970 CEST4980157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:32.976962090 CEST578704980145.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:34.715147972 CEST578704980145.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:34.715224028 CEST4980157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:34.715295076 CEST4980157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:34.720140934 CEST578704980145.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:34.911197901 CEST4980257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:34.916282892 CEST578704980245.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:34.920001984 CEST4980257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:34.922822952 CEST4980257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:34.927704096 CEST578704980245.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:36.681993961 CEST578704980245.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:36.682097912 CEST4980257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:36.682097912 CEST4980257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:36.687539101 CEST578704980245.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:36.880090952 CEST4980357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:36.885202885 CEST578704980345.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:36.885297060 CEST4980357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:36.888972044 CEST4980357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:36.893851042 CEST578704980345.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:38.644383907 CEST578704980345.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:38.644458055 CEST4980357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:38.644536972 CEST4980357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:38.649561882 CEST578704980345.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:38.833461046 CEST4980457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:38.838710070 CEST578704980445.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:38.838828087 CEST4980457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:38.841660023 CEST4980457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:38.846561909 CEST578704980445.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:40.601486921 CEST578704980445.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:40.601792097 CEST4980457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:40.601792097 CEST4980457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:40.606864929 CEST578704980445.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:40.786293030 CEST4980557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:40.791604042 CEST578704980545.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:40.791754007 CEST4980557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:40.794549942 CEST4980557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:40.799808025 CEST578704980545.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:42.545114994 CEST578704980545.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:42.545587063 CEST4980557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:42.545738935 CEST4980557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:42.550626993 CEST578704980545.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:42.735218048 CEST4980657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:42.740458965 CEST578704980645.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:42.740595102 CEST4980657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:42.745229006 CEST4980657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:42.750327110 CEST578704980645.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:44.545875072 CEST578704980645.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:44.545963049 CEST4980657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:44.546072960 CEST4980657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:44.550934076 CEST578704980645.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:44.708374023 CEST4980757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:44.713588953 CEST578704980745.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:44.713665962 CEST4980757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:44.716736078 CEST4980757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:44.721646070 CEST578704980745.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:46.445951939 CEST578704980745.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:46.446047068 CEST4980757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:46.446130991 CEST4980757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:46.451060057 CEST578704980745.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:46.614372015 CEST4980857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:46.619908094 CEST578704980845.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:46.619982958 CEST4980857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:46.623986959 CEST4980857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:46.629251957 CEST578704980845.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:48.374020100 CEST578704980845.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:48.374103069 CEST4980857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:48.374263048 CEST4980857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:48.379091978 CEST578704980845.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:48.536551952 CEST4980957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:48.541857004 CEST578704980945.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:48.541932106 CEST4980957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:48.545651913 CEST4980957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:48.550721884 CEST578704980945.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:50.300448895 CEST578704980945.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:50.300609112 CEST4980957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:50.300698996 CEST4980957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:50.306035995 CEST578704980945.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:50.458681107 CEST4981157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:50.464135885 CEST578704981145.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:50.464301109 CEST4981157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:50.468050003 CEST4981157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:50.472953081 CEST578704981145.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:52.211441994 CEST578704981145.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:52.211500883 CEST4981157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:52.211570978 CEST4981157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:52.216504097 CEST578704981145.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:52.364449978 CEST4981257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:52.369460106 CEST578704981245.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:52.369555950 CEST4981257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:52.372647047 CEST4981257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:52.377422094 CEST578704981245.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:54.155220985 CEST578704981245.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:54.155293941 CEST4981257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:54.155410051 CEST4981257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:54.160304070 CEST578704981245.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:54.301675081 CEST4981357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:54.307329893 CEST578704981345.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:54.307396889 CEST4981357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:54.310220957 CEST4981357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:54.316154003 CEST578704981345.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:56.059602022 CEST578704981345.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:56.059662104 CEST4981357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:56.059698105 CEST4981357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:56.064521074 CEST578704981345.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:56.192554951 CEST4981457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:56.197411060 CEST578704981445.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:56.197474957 CEST4981457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:56.200754881 CEST4981457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:56.205574036 CEST578704981445.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:57.957815886 CEST578704981445.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:57.961525917 CEST4981457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:57.961560965 CEST4981457870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:57.966666937 CEST578704981445.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:58.098942995 CEST4981557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:58.103949070 CEST578704981545.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:58.104034901 CEST4981557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:58.106798887 CEST4981557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:58.111613989 CEST578704981545.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:59.851855993 CEST578704981545.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:59.851928949 CEST4981557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:59.851991892 CEST4981557870192.168.2.645.135.232.38
                                Sep 22, 2024 07:02:59.856829882 CEST578704981545.135.232.38192.168.2.6
                                Sep 22, 2024 07:02:59.992793083 CEST4981657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:00.104166031 CEST578704981645.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:00.107804060 CEST4981657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:00.142923117 CEST4981657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:00.147926092 CEST578704981645.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:01.852529049 CEST578704981645.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:01.852610111 CEST4981657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:01.852696896 CEST4981657870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:01.857608080 CEST578704981645.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:01.974148035 CEST4981757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:01.979166031 CEST578704981745.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:01.979249001 CEST4981757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:01.983140945 CEST4981757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:01.988056898 CEST578704981745.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:03.732995987 CEST578704981745.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:03.733062029 CEST4981757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:03.733148098 CEST4981757870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:03.737957001 CEST578704981745.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:03.848525047 CEST4981857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:03.853334904 CEST578704981845.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:03.853390932 CEST4981857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:03.856161118 CEST4981857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:03.860935926 CEST578704981845.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:05.606663942 CEST578704981845.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:05.608546019 CEST4981857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:05.621499062 CEST4981857870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:05.626353025 CEST578704981845.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:05.829673052 CEST4981957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:05.834686995 CEST578704981945.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:05.834770918 CEST4981957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:05.839077950 CEST4981957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:05.843915939 CEST578704981945.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:07.595952034 CEST578704981945.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:07.597547054 CEST4981957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:07.597625971 CEST4981957870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:07.602608919 CEST578704981945.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:07.707943916 CEST4982057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:07.713089943 CEST578704982045.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:07.713536024 CEST4982057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:07.716327906 CEST4982057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:07.721282959 CEST578704982045.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:09.472107887 CEST578704982045.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:09.473629951 CEST4982057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:09.473629951 CEST4982057870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:09.507271051 CEST578704982045.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:09.582889080 CEST4982157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:09.592031956 CEST578704982145.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:09.593621969 CEST4982157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:09.596261978 CEST4982157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:09.601219893 CEST578704982145.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:11.487462997 CEST578704982145.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:11.487557888 CEST4982157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:11.487643003 CEST4982157870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:11.510766029 CEST578704982145.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:11.605308056 CEST4982257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:11.618928909 CEST578704982245.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:11.620934010 CEST4982257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:11.635519028 CEST4982257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:11.665499926 CEST578704982245.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:13.412863970 CEST578704982245.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:13.413002014 CEST4982257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:13.413002014 CEST4982257870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:13.424499035 CEST578704982245.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:13.654186964 CEST4982357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:13.661434889 CEST578704982345.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:13.661593914 CEST4982357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:13.664271116 CEST4982357870192.168.2.645.135.232.38
                                Sep 22, 2024 07:03:13.678659916 CEST578704982345.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:15.423234940 CEST578704982345.135.232.38192.168.2.6
                                Sep 22, 2024 07:03:15.423340082 CEST4982357870192.168.2.645.135.232.38

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Sep 22, 2024 06:59:07.125627995 CEST5577453192.168.2.61.1.1.1
                                Sep 22, 2024 06:59:07.730021954 CEST53557741.1.1.1192.168.2.6
                                Sep 22, 2024 07:00:09.957912922 CEST5305553192.168.2.61.1.1.1
                                Sep 22, 2024 07:00:10.838821888 CEST53530551.1.1.1192.168.2.6
                                Sep 22, 2024 07:01:11.709204912 CEST5525253192.168.2.61.1.1.1
                                Sep 22, 2024 07:01:11.839762926 CEST53552521.1.1.1192.168.2.6
                                Sep 22, 2024 07:02:12.709332943 CEST6416453192.168.2.61.1.1.1
                                Sep 22, 2024 07:02:12.845796108 CEST53641641.1.1.1192.168.2.6
                                Sep 22, 2024 07:03:13.520282984 CEST5439753192.168.2.61.1.1.1
                                Sep 22, 2024 07:03:13.653544903 CEST53543971.1.1.1192.168.2.6

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Sep 22, 2024 06:59:07.125627995 CEST192.168.2.61.1.1.10x8827Standard query (0)rfwr.duckdns.orgA (IP address)IN (0x0001)false
                                Sep 22, 2024 07:00:09.957912922 CEST192.168.2.61.1.1.10x3bddStandard query (0)rfwr.duckdns.orgA (IP address)IN (0x0001)false
                                Sep 22, 2024 07:01:11.709204912 CEST192.168.2.61.1.1.10x9f2aStandard query (0)rfwr.duckdns.orgA (IP address)IN (0x0001)false
                                Sep 22, 2024 07:02:12.709332943 CEST192.168.2.61.1.1.10x177bStandard query (0)rfwr.duckdns.orgA (IP address)IN (0x0001)false
                                Sep 22, 2024 07:03:13.520282984 CEST192.168.2.61.1.1.10x1aaaStandard query (0)rfwr.duckdns.orgA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Sep 22, 2024 06:59:07.730021954 CEST1.1.1.1192.168.2.60x8827No error (0)rfwr.duckdns.org45.135.232.38A (IP address)IN (0x0001)false
                                Sep 22, 2024 07:00:10.838821888 CEST1.1.1.1192.168.2.60x3bddNo error (0)rfwr.duckdns.org45.135.232.38A (IP address)IN (0x0001)false
                                Sep 22, 2024 07:01:11.839762926 CEST1.1.1.1192.168.2.60x9f2aNo error (0)rfwr.duckdns.org45.135.232.38A (IP address)IN (0x0001)false
                                Sep 22, 2024 07:02:12.845796108 CEST1.1.1.1192.168.2.60x177bNo error (0)rfwr.duckdns.org45.135.232.38A (IP address)IN (0x0001)false
                                Sep 22, 2024 07:03:13.653544903 CEST1.1.1.1192.168.2.60x1aaaNo error (0)rfwr.duckdns.org45.135.232.38A (IP address)IN (0x0001)false

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:0
                                Start time:00:59:05
                                Start date:22/09/2024
                                Path:C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe"
                                Imagebase:0x400000
                                File size:494'592 bytes
                                MD5 hash:77AF19D8B1CBBD2762BA3EB3EF2BF9DF
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4630144728.000000000227F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.2158852443.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.2158852443.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.2158852443.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.2158852443.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4629994767.000000000055E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:3.3%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:24.4%
                                  Total number of Nodes:1159
                                  Total number of Limit Nodes:46
                                  execution_graph 47030 43bea8 47033 43beb4 _swprintf CallCatchBlock 47030->47033 47031 43bec2 47046 44062d 20 API calls __dosmaperr 47031->47046 47033->47031 47034 43beec 47033->47034 47041 445909 EnterCriticalSection 47034->47041 47036 43bec7 _strftime CallCatchBlock 47037 43bef7 47042 43bf98 47037->47042 47041->47037 47044 43bfa6 47042->47044 47043 43bf02 47047 43bf1f LeaveCriticalSection std::_Lockit::~_Lockit 47043->47047 47044->47043 47048 4497ec 37 API calls 2 library calls 47044->47048 47046->47036 47047->47036 47048->47044 47049 434918 47050 434924 CallCatchBlock 47049->47050 47076 434627 47050->47076 47052 43492b 47054 434954 47052->47054 47374 434a8a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 47052->47374 47063 434993 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47054->47063 47375 4442d2 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 47054->47375 47056 43496d 47058 434973 CallCatchBlock 47056->47058 47376 444276 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 47056->47376 47059 4349f3 47087 434ba5 47059->47087 47063->47059 47377 443487 36 API calls 6 library calls 47063->47377 47069 434a15 47070 434a1f 47069->47070 47379 4434bf 28 API calls _abort 47069->47379 47072 434a28 47070->47072 47380 443462 28 API calls _abort 47070->47380 47381 43479e 13 API calls 2 library calls 47072->47381 47075 434a30 47075->47058 47077 434630 47076->47077 47382 434cb6 IsProcessorFeaturePresent 47077->47382 47079 43463c 47383 438fb1 10 API calls 4 library calls 47079->47383 47081 434641 47082 434645 47081->47082 47384 44415f IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47081->47384 47082->47052 47084 43464e 47085 43465c 47084->47085 47385 438fda 8 API calls 3 library calls 47084->47385 47085->47052 47386 436f10 47087->47386 47090 4349f9 47091 444223 47090->47091 47388 44f0d9 47091->47388 47093 44422c 47094 434a02 47093->47094 47392 446895 36 API calls 47093->47392 47096 40ea00 47094->47096 47394 41cbe1 LoadLibraryA GetProcAddress 47096->47394 47098 40ea1c GetModuleFileNameW 47399 40f3fe 47098->47399 47100 40ea38 47414 4020f6 47100->47414 47103 4020f6 28 API calls 47104 40ea56 47103->47104 47420 41beac 47104->47420 47108 40ea68 47446 401e8d 47108->47446 47110 40ea71 47111 40ea84 47110->47111 47112 40eace 47110->47112 47714 40fbee 118 API calls 47111->47714 47452 401e65 47112->47452 47115 40eade 47119 401e65 22 API calls 47115->47119 47116 40ea96 47117 401e65 22 API calls 47116->47117 47118 40eaa2 47117->47118 47715 410f72 36 API calls __EH_prolog 47118->47715 47120 40eafd 47119->47120 47457 40531e 47120->47457 47123 40eb0c 47462 406383 47123->47462 47124 40eab4 47716 40fb9f 78 API calls 47124->47716 47128 40eabd 47717 40f3eb 71 API calls 47128->47717 47134 401fd8 11 API calls 47136 40ef36 47134->47136 47135 401fd8 11 API calls 47137 40eb36 47135->47137 47378 443396 GetModuleHandleW 47136->47378 47138 401e65 22 API calls 47137->47138 47139 40eb3f 47138->47139 47479 401fc0 47139->47479 47141 40eb4a 47142 401e65 22 API calls 47141->47142 47143 40eb63 47142->47143 47144 401e65 22 API calls 47143->47144 47145 40eb7e 47144->47145 47146 40ebe9 47145->47146 47718 406c59 47145->47718 47148 401e65 22 API calls 47146->47148 47152 40ebf6 47148->47152 47149 40ebab 47150 401fe2 28 API calls 47149->47150 47151 40ebb7 47150->47151 47154 401fd8 11 API calls 47151->47154 47153 40ec3d 47152->47153 47158 413584 3 API calls 47152->47158 47483 40d0a4 47153->47483 47155 40ebc0 47154->47155 47723 413584 RegOpenKeyExA 47155->47723 47157 40ec43 47159 40eac6 47157->47159 47486 41b354 47157->47486 47165 40ec21 47158->47165 47159->47134 47163 40ec5e 47166 40ecb1 47163->47166 47503 407751 47163->47503 47164 40f38a 47799 4139e4 30 API calls 47164->47799 47165->47153 47726 4139e4 30 API calls 47165->47726 47168 401e65 22 API calls 47166->47168 47172 40ecba 47168->47172 47171 40f3a0 47800 4124b0 65 API calls ___scrt_get_show_window_mode 47171->47800 47181 40ecc6 47172->47181 47182 40eccb 47172->47182 47175 40ec87 47177 401e65 22 API calls 47175->47177 47176 40ec7d 47727 407773 30 API calls 47176->47727 47190 40ec90 47177->47190 47178 40f3aa 47180 41bcef 28 API calls 47178->47180 47185 40f3ba 47180->47185 47730 407790 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 47181->47730 47184 401e65 22 API calls 47182->47184 47183 40ec82 47728 40729b 98 API calls 47183->47728 47188 40ecd4 47184->47188 47612 413a5e RegOpenKeyExW 47185->47612 47507 41bcef 47188->47507 47190->47166 47194 40ecac 47190->47194 47191 40ecdf 47511 401f13 47191->47511 47729 40729b 98 API calls 47194->47729 47198 401f09 11 API calls 47200 40f3d7 47198->47200 47202 401f09 11 API calls 47200->47202 47204 40f3e0 47202->47204 47203 401e65 22 API calls 47205 40ecfc 47203->47205 47615 40dd7d 47204->47615 47210 401e65 22 API calls 47205->47210 47209 40f3ea 47211 40ed16 47210->47211 47212 401e65 22 API calls 47211->47212 47213 40ed30 47212->47213 47214 401e65 22 API calls 47213->47214 47215 40ed49 47214->47215 47216 40edb6 47215->47216 47218 401e65 22 API calls 47215->47218 47217 40edc5 47216->47217 47224 40ef41 ___scrt_get_show_window_mode 47216->47224 47219 40edce 47217->47219 47247 40ee4a ___scrt_get_show_window_mode 47217->47247 47222 40ed5e _wcslen 47218->47222 47220 401e65 22 API calls 47219->47220 47221 40edd7 47220->47221 47223 401e65 22 API calls 47221->47223 47222->47216 47225 401e65 22 API calls 47222->47225 47226 40ede9 47223->47226 47791 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 47224->47791 47227 40ed79 47225->47227 47229 401e65 22 API calls 47226->47229 47230 401e65 22 API calls 47227->47230 47231 40edfb 47229->47231 47232 40ed8e 47230->47232 47235 401e65 22 API calls 47231->47235 47731 40da6f 47232->47731 47233 40ef8c 47234 401e65 22 API calls 47233->47234 47236 40efb1 47234->47236 47238 40ee24 47235->47238 47533 402093 47236->47533 47241 401e65 22 API calls 47238->47241 47240 401f13 28 API calls 47243 40edad 47240->47243 47244 40ee35 47241->47244 47246 401f09 11 API calls 47243->47246 47789 40ce34 46 API calls _wcslen 47244->47789 47245 40efc3 47539 4137aa RegCreateKeyA 47245->47539 47246->47216 47523 413982 47247->47523 47251 40eede ctype 47256 401e65 22 API calls 47251->47256 47252 40ee45 47252->47247 47254 401e65 22 API calls 47255 40efe5 47254->47255 47545 43bb2c 47255->47545 47257 40eef5 47256->47257 47257->47233 47261 40ef09 47257->47261 47260 40effc 47792 41ce2c 88 API calls ___scrt_get_show_window_mode 47260->47792 47263 401e65 22 API calls 47261->47263 47262 40f01f 47267 402093 28 API calls 47262->47267 47265 40ef12 47263->47265 47268 41bcef 28 API calls 47265->47268 47266 40f003 CreateThread 47266->47262 48501 41d4ee 10 API calls 47266->48501 47269 40f034 47267->47269 47270 40ef1e 47268->47270 47271 402093 28 API calls 47269->47271 47790 40f4af 107 API calls 47270->47790 47273 40f043 47271->47273 47549 41b580 47273->47549 47274 40ef23 47274->47233 47276 40ef2a 47274->47276 47276->47159 47278 401e65 22 API calls 47279 40f054 47278->47279 47280 401e65 22 API calls 47279->47280 47281 40f066 47280->47281 47282 401e65 22 API calls 47281->47282 47283 40f086 47282->47283 47284 43bb2c _strftime 40 API calls 47283->47284 47285 40f093 47284->47285 47286 401e65 22 API calls 47285->47286 47287 40f09e 47286->47287 47288 401e65 22 API calls 47287->47288 47289 40f0af 47288->47289 47290 401e65 22 API calls 47289->47290 47291 40f0c4 47290->47291 47292 401e65 22 API calls 47291->47292 47293 40f0d5 47292->47293 47294 40f0dc StrToIntA 47293->47294 47573 409e1f 47294->47573 47297 401e65 22 API calls 47298 40f0f7 47297->47298 47299 40f103 47298->47299 47300 40f13c 47298->47300 47793 43455e 22 API calls 3 library calls 47299->47793 47303 401e65 22 API calls 47300->47303 47302 40f10c 47304 401e65 22 API calls 47302->47304 47305 40f14c 47303->47305 47306 40f11f 47304->47306 47307 40f194 47305->47307 47308 40f158 47305->47308 47309 40f126 CreateThread 47306->47309 47311 401e65 22 API calls 47307->47311 47794 43455e 22 API calls 3 library calls 47308->47794 47309->47300 48505 41a045 110 API calls 2 library calls 47309->48505 47313 40f19d 47311->47313 47312 40f161 47314 401e65 22 API calls 47312->47314 47316 40f207 47313->47316 47317 40f1a9 47313->47317 47315 40f173 47314->47315 47318 40f17a CreateThread 47315->47318 47319 401e65 22 API calls 47316->47319 47320 401e65 22 API calls 47317->47320 47318->47307 48504 41a045 110 API calls 2 library calls 47318->48504 47321 40f210 47319->47321 47322 40f1b9 47320->47322 47323 40f255 47321->47323 47324 40f21c 47321->47324 47325 401e65 22 API calls 47322->47325 47598 41b69e GetComputerNameExW GetUserNameW 47323->47598 47326 401e65 22 API calls 47324->47326 47327 40f1ce 47325->47327 47329 40f225 47326->47329 47795 40da23 32 API calls 47327->47795 47335 401e65 22 API calls 47329->47335 47331 401f13 28 API calls 47332 40f269 47331->47332 47334 401f09 11 API calls 47332->47334 47337 40f272 47334->47337 47338 40f23a 47335->47338 47336 40f1e1 47339 401f13 28 API calls 47336->47339 47340 40f27b SetProcessDEPPolicy 47337->47340 47341 40f27e CreateThread 47337->47341 47348 43bb2c _strftime 40 API calls 47338->47348 47342 40f1ed 47339->47342 47340->47341 47343 40f293 CreateThread 47341->47343 47344 40f29f 47341->47344 48474 40f7e2 47341->48474 47345 401f09 11 API calls 47342->47345 47343->47344 48506 412132 139 API calls 47343->48506 47346 40f2b4 47344->47346 47347 40f2a8 CreateThread 47344->47347 47349 40f1f6 CreateThread 47345->47349 47351 40f307 47346->47351 47353 402093 28 API calls 47346->47353 47347->47346 48502 412716 38 API calls ___scrt_get_show_window_mode 47347->48502 47350 40f247 47348->47350 47349->47316 48503 401be9 50 API calls _strftime 47349->48503 47796 40c19d 7 API calls 47350->47796 47609 41353a RegOpenKeyExA 47351->47609 47354 40f2d7 47353->47354 47797 4052fd 28 API calls 47354->47797 47360 40f328 47362 41bcef 28 API calls 47360->47362 47364 40f338 47362->47364 47798 413656 31 API calls 47364->47798 47368 40f34e 47369 401f09 11 API calls 47368->47369 47372 40f359 47369->47372 47370 40f381 DeleteFileW 47371 40f388 47370->47371 47370->47372 47371->47178 47372->47178 47372->47370 47373 40f36f Sleep 47372->47373 47373->47372 47374->47052 47375->47056 47376->47063 47377->47059 47378->47069 47379->47070 47380->47072 47381->47075 47382->47079 47383->47081 47384->47084 47385->47082 47387 434bb8 GetStartupInfoW 47386->47387 47387->47090 47389 44f0eb 47388->47389 47390 44f0e2 47388->47390 47389->47093 47393 44efd8 49 API calls 4 library calls 47390->47393 47392->47093 47393->47389 47395 41cc20 LoadLibraryA GetProcAddress 47394->47395 47396 41cc10 GetModuleHandleA GetProcAddress 47394->47396 47397 41cc49 44 API calls 47395->47397 47398 41cc39 LoadLibraryA GetProcAddress 47395->47398 47396->47395 47397->47098 47398->47397 47801 41b539 FindResourceA 47399->47801 47403 40f428 _Yarn 47811 4020b7 47403->47811 47406 401fe2 28 API calls 47407 40f44e 47406->47407 47408 401fd8 11 API calls 47407->47408 47409 40f457 47408->47409 47410 43bda0 ___std_exception_copy 21 API calls 47409->47410 47411 40f468 _Yarn 47410->47411 47817 406e13 47411->47817 47413 40f49b 47413->47100 47415 40210c 47414->47415 47416 4023ce 11 API calls 47415->47416 47417 402126 47416->47417 47418 402569 28 API calls 47417->47418 47419 402134 47418->47419 47419->47103 47854 4020df 47420->47854 47422 41bf2f 47423 401fd8 11 API calls 47422->47423 47424 41bf61 47423->47424 47426 401fd8 11 API calls 47424->47426 47425 41bf31 47860 4041a2 28 API calls 47425->47860 47429 41bf69 47426->47429 47431 401fd8 11 API calls 47429->47431 47430 41bf3d 47432 401fe2 28 API calls 47430->47432 47434 40ea5f 47431->47434 47435 41bf46 47432->47435 47433 401fe2 28 API calls 47441 41bebf 47433->47441 47442 40fb52 47434->47442 47436 401fd8 11 API calls 47435->47436 47438 41bf4e 47436->47438 47437 401fd8 11 API calls 47437->47441 47861 41cec5 28 API calls 47438->47861 47441->47422 47441->47425 47441->47433 47441->47437 47858 4041a2 28 API calls 47441->47858 47859 41cec5 28 API calls 47441->47859 47443 40fb5e 47442->47443 47445 40fb65 47442->47445 47862 402163 11 API calls 47443->47862 47445->47108 47447 402163 47446->47447 47448 40219f 47447->47448 47863 402730 11 API calls 47447->47863 47448->47110 47450 402184 47864 402712 11 API calls std::_Deallocate 47450->47864 47453 401e6d 47452->47453 47455 401e75 47453->47455 47865 402158 22 API calls 47453->47865 47455->47115 47458 4020df 11 API calls 47457->47458 47459 40532a 47458->47459 47866 4032a0 47459->47866 47461 405346 47461->47123 47871 4051ef 47462->47871 47464 406391 47875 402055 47464->47875 47467 401fe2 47468 401ff1 47467->47468 47475 402039 47467->47475 47469 4023ce 11 API calls 47468->47469 47470 401ffa 47469->47470 47471 402015 47470->47471 47472 40203c 47470->47472 47909 403098 28 API calls 47471->47909 47473 40267a 11 API calls 47472->47473 47473->47475 47476 401fd8 47475->47476 47477 4023ce 11 API calls 47476->47477 47478 401fe1 47477->47478 47478->47135 47480 401fd2 47479->47480 47481 401fc9 47479->47481 47480->47141 47910 4025e0 28 API calls 47481->47910 47911 401fab 47483->47911 47485 40d0ae CreateMutexA GetLastError 47485->47157 47912 41c048 47486->47912 47491 401fe2 28 API calls 47492 41b390 47491->47492 47493 401fd8 11 API calls 47492->47493 47494 41b398 47493->47494 47495 4135e1 31 API calls 47494->47495 47497 41b3ee 47494->47497 47496 41b3c1 47495->47496 47498 41b3cc StrToIntA 47496->47498 47497->47163 47499 41b3e3 47498->47499 47500 41b3da 47498->47500 47501 401fd8 11 API calls 47499->47501 47921 41cffa 22 API calls 47500->47921 47501->47497 47504 407765 47503->47504 47505 413584 3 API calls 47504->47505 47506 40776c 47505->47506 47506->47175 47506->47176 47508 41bd03 47507->47508 47922 40b93f 47508->47922 47510 41bd0b 47510->47191 47512 401f22 47511->47512 47519 401f6a 47511->47519 47513 402252 11 API calls 47512->47513 47514 401f2b 47513->47514 47515 401f6d 47514->47515 47516 401f46 47514->47516 47955 402336 47515->47955 47954 40305c 28 API calls 47516->47954 47520 401f09 47519->47520 47521 402252 11 API calls 47520->47521 47522 401f12 47521->47522 47522->47203 47524 4139a0 47523->47524 47525 406e13 28 API calls 47524->47525 47526 4139b5 47525->47526 47527 4020f6 28 API calls 47526->47527 47528 4139c5 47527->47528 47529 4137aa 14 API calls 47528->47529 47530 4139cf 47529->47530 47531 401fd8 11 API calls 47530->47531 47532 4139dc 47531->47532 47532->47251 47534 40209b 47533->47534 47535 4023ce 11 API calls 47534->47535 47536 4020a6 47535->47536 47959 4024ed 47536->47959 47540 4137fa 47539->47540 47541 4137c3 47539->47541 47542 401fd8 11 API calls 47540->47542 47544 4137d5 RegSetValueExA RegCloseKey 47541->47544 47543 40efd9 47542->47543 47543->47254 47544->47540 47546 43bb45 _strftime 47545->47546 47963 43ae83 47546->47963 47548 40eff2 47548->47260 47548->47262 47550 41b631 47549->47550 47551 41b596 GetLocalTime 47549->47551 47552 401fd8 11 API calls 47550->47552 47553 40531e 28 API calls 47551->47553 47555 41b639 47552->47555 47554 41b5d8 47553->47554 47556 406383 28 API calls 47554->47556 47557 401fd8 11 API calls 47555->47557 47558 41b5e4 47556->47558 47559 40f048 47557->47559 47991 402f10 47558->47991 47559->47278 47562 406383 28 API calls 47563 41b5fc 47562->47563 47996 40723b 77 API calls 47563->47996 47565 41b60a 47566 401fd8 11 API calls 47565->47566 47567 41b616 47566->47567 47568 401fd8 11 API calls 47567->47568 47569 41b61f 47568->47569 47570 401fd8 11 API calls 47569->47570 47571 41b628 47570->47571 47572 401fd8 11 API calls 47571->47572 47572->47550 47574 409e3d _wcslen 47573->47574 47575 409e48 47574->47575 47576 409e5f 47574->47576 47577 40da6f 32 API calls 47575->47577 47578 40da6f 32 API calls 47576->47578 47579 409e50 47577->47579 47580 409e67 47578->47580 47581 401f13 28 API calls 47579->47581 47582 401f13 28 API calls 47580->47582 47583 409e5a 47581->47583 47584 409e75 47582->47584 47586 401f09 11 API calls 47583->47586 47585 401f09 11 API calls 47584->47585 47587 409e7d 47585->47587 47588 409eb4 47586->47588 48015 409196 28 API calls 47587->48015 48000 40a144 47588->48000 47591 409e8f 48016 403014 47591->48016 47595 401f13 28 API calls 47596 409ea4 47595->47596 47597 401f09 11 API calls 47596->47597 47597->47583 48209 40417e 47598->48209 47603 403014 28 API calls 47604 41b703 47603->47604 47605 401f09 11 API calls 47604->47605 47606 41b70c 47605->47606 47607 401f09 11 API calls 47606->47607 47608 40f25e 47607->47608 47608->47331 47610 41355b RegQueryValueExA RegCloseKey 47609->47610 47611 40f31f 47609->47611 47610->47611 47611->47204 47611->47360 47613 40f3cd 47612->47613 47614 413a7a RegDeleteValueW 47612->47614 47613->47198 47614->47613 47616 40dd96 47615->47616 47617 41353a 3 API calls 47616->47617 47618 40dd9d 47617->47618 47622 40ddbc 47618->47622 48303 401707 47618->48303 47620 40ddaa 48306 4138b2 RegCreateKeyA 47620->48306 47623 414f65 47622->47623 47624 4020df 11 API calls 47623->47624 47625 414f79 47624->47625 48320 41b944 47625->48320 47628 4020df 11 API calls 47629 414f8f 47628->47629 47630 401e65 22 API calls 47629->47630 47631 414f9d 47630->47631 47632 43bb2c _strftime 40 API calls 47631->47632 47633 414faa 47632->47633 47634 414fbc 47633->47634 47635 414faf Sleep 47633->47635 47636 402093 28 API calls 47634->47636 47635->47634 47637 414fcb 47636->47637 47638 401e65 22 API calls 47637->47638 47639 414fd4 47638->47639 47640 4020f6 28 API calls 47639->47640 47641 414fdf 47640->47641 47642 41beac 28 API calls 47641->47642 47643 414fe7 47642->47643 48324 40489e WSAStartup 47643->48324 47645 414ff1 47646 401e65 22 API calls 47645->47646 47647 414ffa 47646->47647 47648 401e65 22 API calls 47647->47648 47688 415079 47647->47688 47649 415013 47648->47649 47650 401e65 22 API calls 47649->47650 47651 415024 47650->47651 47653 401e65 22 API calls 47651->47653 47652 41beac 28 API calls 47652->47688 47654 415035 47653->47654 47656 401e65 22 API calls 47654->47656 47655 406c59 28 API calls 47655->47688 47657 415046 47656->47657 47659 401e65 22 API calls 47657->47659 47658 402f10 28 API calls 47658->47688 47661 415057 47659->47661 47660 401fe2 28 API calls 47660->47688 47662 401e65 22 API calls 47661->47662 47663 415069 47662->47663 48426 40473d 89 API calls 47663->48426 47664 401e65 22 API calls 47664->47688 47666 41b580 80 API calls 47666->47688 47668 4151c7 WSAGetLastError 48427 41cb72 30 API calls 47668->48427 47673 402093 28 API calls 47673->47688 47676 401fd8 11 API calls 47676->47688 47677 40531e 28 API calls 47677->47688 47678 401e8d 11 API calls 47678->47688 47679 406383 28 API calls 47679->47688 47680 43bb2c _strftime 40 API calls 47681 415b0a Sleep 47680->47681 47681->47688 47684 409097 28 API calls 47684->47688 47686 4020f6 28 API calls 47686->47688 47688->47652 47688->47655 47688->47658 47688->47660 47688->47664 47688->47666 47688->47668 47688->47673 47688->47676 47688->47677 47688->47678 47688->47679 47688->47680 47688->47684 47688->47686 47689 4135e1 31 API calls 47688->47689 47706 4153f6 47688->47706 48325 414f24 47688->48325 48330 40482d 47688->48330 48337 404f51 47688->48337 48352 4048c8 connect 47688->48352 48412 404e26 WaitForSingleObject 47688->48412 48428 4052fd 28 API calls 47688->48428 48429 41b871 GlobalMemoryStatusEx 47688->48429 48430 4145f8 51 API calls 47688->48430 48431 441ed1 20 API calls 47688->48431 48432 413733 RegOpenKeyExA RegQueryValueExA RegCloseKey 47688->48432 47689->47688 47690 40417e 28 API calls 47690->47706 47693 401e65 22 API calls 47694 415474 GetTickCount 47693->47694 48435 41bc1f 28 API calls 47694->48435 47697 41bc1f 28 API calls 47697->47706 47699 41bdaf 28 API calls 47699->47706 47702 402ea1 28 API calls 47702->47706 47703 406383 28 API calls 47703->47706 47704 402f10 28 API calls 47704->47706 47706->47688 47706->47690 47706->47693 47706->47697 47706->47699 47706->47702 47706->47703 47706->47704 47707 401fd8 11 API calls 47706->47707 47710 402093 28 API calls 47706->47710 47711 41b580 80 API calls 47706->47711 47712 415aac CreateThread 47706->47712 47713 401f09 11 API calls 47706->47713 48433 40ddc4 6 API calls 47706->48433 48434 41bcd3 28 API calls 47706->48434 48436 41bb77 GetLastInputInfo GetTickCount 47706->48436 48437 41bb27 30 API calls ___scrt_get_show_window_mode 47706->48437 48438 40f90c 29 API calls 47706->48438 48439 402f31 28 API calls 47706->48439 48440 404aa1 61 API calls _Yarn 47706->48440 48441 404c10 113 API calls ___std_exception_copy 47706->48441 48442 40b08c 85 API calls 47706->48442 47707->47706 47710->47706 47711->47706 47712->47706 48467 41ada8 105 API calls 47712->48467 47713->47706 47714->47116 47715->47124 47716->47128 47719 4020df 11 API calls 47718->47719 47720 406c65 47719->47720 47721 4032a0 28 API calls 47720->47721 47722 406c82 47721->47722 47722->47149 47724 4135ae RegQueryValueExA RegCloseKey 47723->47724 47725 40ebdf 47723->47725 47724->47725 47725->47146 47725->47164 47726->47153 47727->47183 47728->47175 47729->47166 47730->47182 47732 401f86 11 API calls 47731->47732 47733 40da8b 47732->47733 47734 40dae0 47733->47734 47735 40daab 47733->47735 47736 40daa1 47733->47736 47737 41c048 2 API calls 47734->47737 48468 41b645 29 API calls 47735->48468 47739 40dbd4 GetLongPathNameW 47736->47739 47741 40dae5 47737->47741 47740 40417e 28 API calls 47739->47740 47743 40dbe9 47740->47743 47744 40dae9 47741->47744 47745 40db3b 47741->47745 47742 40dab4 47746 401f13 28 API calls 47742->47746 47747 40417e 28 API calls 47743->47747 47749 40417e 28 API calls 47744->47749 47748 40417e 28 API calls 47745->47748 47750 40dabe 47746->47750 47751 40dbf8 47747->47751 47752 40db49 47748->47752 47753 40daf7 47749->47753 47755 401f09 11 API calls 47750->47755 48471 40de0c 28 API calls 47751->48471 47758 40417e 28 API calls 47752->47758 47759 40417e 28 API calls 47753->47759 47755->47736 47756 40dc0b 48472 402fa5 28 API calls 47756->48472 47761 40db5f 47758->47761 47762 40db0d 47759->47762 47760 40dc16 48473 402fa5 28 API calls 47760->48473 48470 402fa5 28 API calls 47761->48470 48469 402fa5 28 API calls 47762->48469 47766 40dc20 47769 401f09 11 API calls 47766->47769 47767 40db6a 47770 401f13 28 API calls 47767->47770 47768 40db18 47771 401f13 28 API calls 47768->47771 47772 40dc2a 47769->47772 47773 40db75 47770->47773 47774 40db23 47771->47774 47775 401f09 11 API calls 47772->47775 47776 401f09 11 API calls 47773->47776 47777 401f09 11 API calls 47774->47777 47779 40dc33 47775->47779 47780 40db7e 47776->47780 47778 40db2c 47777->47778 47782 401f09 11 API calls 47778->47782 47783 401f09 11 API calls 47779->47783 47781 401f09 11 API calls 47780->47781 47781->47750 47782->47750 47784 40dc3c 47783->47784 47785 401f09 11 API calls 47784->47785 47786 40dc45 47785->47786 47787 401f09 11 API calls 47786->47787 47788 40dc4e 47787->47788 47788->47240 47789->47252 47790->47274 47791->47233 47792->47266 47793->47302 47794->47312 47795->47336 47796->47323 47798->47368 47799->47171 47802 41b556 LoadResource LockResource SizeofResource 47801->47802 47803 40f419 47801->47803 47802->47803 47804 43bda0 47803->47804 47809 4461b8 ___crtLCMapStringA 47804->47809 47805 4461f6 47821 44062d 20 API calls __dosmaperr 47805->47821 47806 4461e1 RtlAllocateHeap 47808 4461f4 47806->47808 47806->47809 47808->47403 47809->47805 47809->47806 47820 443001 7 API calls 2 library calls 47809->47820 47812 4020bf 47811->47812 47822 4023ce 47812->47822 47814 4020ca 47826 40250a 47814->47826 47816 4020d9 47816->47406 47818 4020b7 28 API calls 47817->47818 47819 406e27 47818->47819 47819->47413 47820->47809 47821->47808 47823 402428 47822->47823 47824 4023d8 47822->47824 47823->47814 47824->47823 47833 4027a7 11 API calls std::_Deallocate 47824->47833 47827 40251a 47826->47827 47828 402520 47827->47828 47829 402535 47827->47829 47834 402569 47828->47834 47844 4028e8 28 API calls 47829->47844 47832 402533 47832->47816 47833->47823 47845 402888 47834->47845 47836 40257d 47837 402592 47836->47837 47838 4025a7 47836->47838 47850 402a34 22 API calls 47837->47850 47852 4028e8 28 API calls 47838->47852 47841 40259b 47851 4029da 22 API calls 47841->47851 47843 4025a5 47843->47832 47844->47832 47846 402890 47845->47846 47847 402898 47846->47847 47853 402ca3 22 API calls 47846->47853 47847->47836 47850->47841 47851->47843 47852->47843 47855 4020e7 47854->47855 47856 4023ce 11 API calls 47855->47856 47857 4020f2 47856->47857 47857->47441 47858->47441 47859->47441 47860->47430 47861->47422 47862->47445 47863->47450 47864->47448 47867 4032aa 47866->47867 47869 4032c9 47867->47869 47870 4028e8 28 API calls 47867->47870 47869->47461 47870->47869 47872 4051fb 47871->47872 47881 405274 47872->47881 47874 405208 47874->47464 47876 402061 47875->47876 47877 4023ce 11 API calls 47876->47877 47878 40207b 47877->47878 47905 40267a 47878->47905 47882 405282 47881->47882 47883 405288 47882->47883 47884 40529e 47882->47884 47892 4025f0 47883->47892 47886 4052f5 47884->47886 47887 4052b6 47884->47887 47902 4028a4 22 API calls 47886->47902 47891 40529c 47887->47891 47901 4028e8 28 API calls 47887->47901 47891->47874 47893 402888 22 API calls 47892->47893 47894 402602 47893->47894 47895 402672 47894->47895 47896 402629 47894->47896 47904 4028a4 22 API calls 47895->47904 47900 40263b 47896->47900 47903 4028e8 28 API calls 47896->47903 47900->47891 47901->47891 47903->47900 47906 40268b 47905->47906 47907 4023ce 11 API calls 47906->47907 47908 40208d 47907->47908 47908->47467 47909->47475 47910->47480 47913 41b362 47912->47913 47914 41c055 GetCurrentProcess IsWow64Process 47912->47914 47916 4135e1 RegOpenKeyExA 47913->47916 47914->47913 47915 41c06c 47914->47915 47915->47913 47917 41360f RegQueryValueExA RegCloseKey 47916->47917 47918 413639 47916->47918 47917->47918 47919 402093 28 API calls 47918->47919 47920 41364e 47919->47920 47920->47491 47921->47499 47923 40b947 47922->47923 47928 402252 47923->47928 47925 40b952 47932 40b967 47925->47932 47927 40b961 47927->47510 47929 4022ac 47928->47929 47930 40225c 47928->47930 47929->47925 47930->47929 47939 402779 11 API calls std::_Deallocate 47930->47939 47933 40b9a1 47932->47933 47934 40b973 47932->47934 47951 4028a4 22 API calls 47933->47951 47940 4027e6 47934->47940 47938 40b97d 47938->47927 47939->47929 47941 4027ef 47940->47941 47942 402851 47941->47942 47943 4027f9 47941->47943 47953 4028a4 22 API calls 47942->47953 47946 402802 47943->47946 47948 402815 47943->47948 47952 402aea 28 API calls __EH_prolog 47946->47952 47949 402813 47948->47949 47950 402252 11 API calls 47948->47950 47949->47938 47950->47949 47952->47949 47954->47519 47956 402347 47955->47956 47957 402252 11 API calls 47956->47957 47958 4023c7 47957->47958 47958->47519 47960 4024f9 47959->47960 47961 40250a 28 API calls 47960->47961 47962 4020b1 47961->47962 47962->47245 47979 43ba8a 47963->47979 47965 43aed0 47985 43a837 36 API calls 2 library calls 47965->47985 47967 43ae95 47967->47965 47968 43aeaa 47967->47968 47970 43aeaf _strftime 47967->47970 47984 44062d 20 API calls __dosmaperr 47968->47984 47970->47548 47972 43aedc 47974 43af0b 47972->47974 47986 43bacf 40 API calls __Tolower 47972->47986 47973 43af77 47988 43ba36 20 API calls 2 library calls 47973->47988 47974->47973 47987 43ba36 20 API calls 2 library calls 47974->47987 47977 43b03e _strftime 47977->47970 47989 44062d 20 API calls __dosmaperr 47977->47989 47980 43baa2 47979->47980 47981 43ba8f 47979->47981 47980->47967 47990 44062d 20 API calls __dosmaperr 47981->47990 47983 43ba94 _strftime 47983->47967 47984->47970 47985->47972 47986->47972 47987->47973 47988->47977 47989->47970 47990->47983 47997 401fb0 47991->47997 47993 402f1e 47994 402055 11 API calls 47993->47994 47995 402f2d 47994->47995 47995->47562 47996->47565 47998 4025f0 28 API calls 47997->47998 47999 401fbd 47998->47999 47999->47993 48001 40a162 48000->48001 48002 413584 3 API calls 48001->48002 48003 40a169 48002->48003 48004 40a197 48003->48004 48005 40a17d 48003->48005 48021 409097 48004->48021 48007 40a182 48005->48007 48008 409ed6 48005->48008 48010 409097 28 API calls 48007->48010 48008->47297 48012 40a190 48010->48012 48049 40a268 29 API calls 48012->48049 48014 40a195 48014->48008 48015->47591 48186 403222 48016->48186 48018 403022 48190 403262 48018->48190 48022 4090ad 48021->48022 48023 402252 11 API calls 48022->48023 48024 4090c7 48023->48024 48050 404267 48024->48050 48026 4090d5 48027 40a1b4 48026->48027 48062 40b927 48027->48062 48030 40a205 48033 402093 28 API calls 48030->48033 48031 40a1dd 48032 402093 28 API calls 48031->48032 48034 40a1e7 48032->48034 48035 40a210 48033->48035 48036 41bcef 28 API calls 48034->48036 48037 402093 28 API calls 48035->48037 48038 40a1f5 48036->48038 48039 40a21f 48037->48039 48066 40b19f 31 API calls ___std_exception_copy 48038->48066 48041 41b580 80 API calls 48039->48041 48043 40a224 CreateThread 48041->48043 48042 40a1fc 48044 401fd8 11 API calls 48042->48044 48045 40a24b CreateThread 48043->48045 48046 40a23f CreateThread 48043->48046 48074 40a2b8 48043->48074 48044->48030 48047 401f09 11 API calls 48045->48047 48071 40a2c4 48045->48071 48046->48045 48068 40a2a2 48046->48068 48048 40a25f 48047->48048 48048->48008 48049->48014 48185 40a2ae 163 API calls 48049->48185 48051 402888 22 API calls 48050->48051 48052 40427b 48051->48052 48053 404290 48052->48053 48054 4042a5 48052->48054 48060 4042df 22 API calls 48053->48060 48056 4027e6 28 API calls 48054->48056 48059 4042a3 48056->48059 48057 404299 48061 402c48 22 API calls 48057->48061 48059->48026 48060->48057 48061->48059 48063 40b930 48062->48063 48064 40a1d2 48062->48064 48067 40b9a7 28 API calls 48063->48067 48064->48030 48064->48031 48066->48042 48067->48064 48077 40a2f3 48068->48077 48095 40ad11 48071->48095 48138 40a761 48074->48138 48078 40a30c SetWindowsHookExA 48077->48078 48079 40a36e GetMessageA 48077->48079 48078->48079 48082 40a328 GetLastError 48078->48082 48080 40a380 TranslateMessage DispatchMessageA 48079->48080 48092 40a2ab 48079->48092 48080->48079 48080->48092 48093 41bc1f 28 API calls 48082->48093 48084 40a339 48094 4052fd 28 API calls 48084->48094 48093->48084 48102 40ad1f 48095->48102 48096 40a2cd 48097 40ad79 Sleep GetForegroundWindow GetWindowTextLengthW 48099 40b93f 28 API calls 48097->48099 48099->48102 48102->48096 48102->48097 48104 40adbf GetWindowTextW 48102->48104 48124 40add9 48102->48124 48125 43445a EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait 48102->48125 48126 401f86 48102->48126 48130 434801 23 API calls __onexit 48102->48130 48131 43441b SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_wait 48102->48131 48104->48102 48106 40af17 48109 401f09 11 API calls 48106->48109 48107 41bb77 GetLastInputInfo GetTickCount 48107->48124 48108 40b927 28 API calls 48108->48124 48109->48096 48110 40ae84 Sleep 48110->48124 48113 402093 28 API calls 48113->48124 48116 409097 28 API calls 48116->48124 48118 403014 28 API calls 48118->48124 48119 406383 28 API calls 48119->48124 48120 41bcef 28 API calls 48120->48124 48121 40a671 12 API calls 48121->48124 48122 401f09 11 API calls 48122->48124 48123 401fd8 11 API calls 48123->48124 48124->48102 48124->48106 48124->48107 48124->48108 48124->48110 48124->48113 48124->48116 48124->48118 48124->48119 48124->48120 48124->48121 48124->48122 48124->48123 48132 40907f 28 API calls 48124->48132 48133 40b19f 31 API calls ___std_exception_copy 48124->48133 48134 40b9b7 28 API calls 48124->48134 48135 40b783 40 API calls 2 library calls 48124->48135 48136 441ed1 20 API calls 48124->48136 48137 4052fd 28 API calls 48124->48137 48127 401f8e 48126->48127 48128 402252 11 API calls 48127->48128 48129 401f99 48128->48129 48129->48102 48130->48102 48131->48102 48132->48124 48133->48124 48134->48124 48135->48124 48136->48124 48139 40a776 Sleep 48138->48139 48159 40a6b0 48139->48159 48141 40a2c1 48142 40a7c7 GetFileAttributesW 48147 40a788 48142->48147 48143 40a7b6 CreateDirectoryW 48143->48147 48144 40a7de SetFileAttributesW 48144->48147 48145 4020df 11 API calls 48157 40a829 48145->48157 48147->48139 48147->48141 48147->48142 48147->48143 48147->48144 48149 401e65 22 API calls 48147->48149 48147->48157 48172 41c482 48147->48172 48148 40a858 PathFileExistsW 48148->48157 48149->48147 48151 4020b7 28 API calls 48151->48157 48152 40a961 SetFileAttributesW 48152->48147 48153 401fd8 11 API calls 48153->48157 48154 401fe2 28 API calls 48154->48157 48155 406e13 28 API calls 48155->48157 48157->48145 48157->48148 48157->48151 48157->48152 48157->48153 48157->48154 48157->48155 48158 401fd8 11 API calls 48157->48158 48182 41c516 32 API calls 48157->48182 48183 41c583 CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 48157->48183 48158->48147 48160 40a75d 48159->48160 48161 40a6c6 48159->48161 48160->48147 48162 40a6e5 CreateFileW 48161->48162 48164 40a728 CloseHandle 48161->48164 48165 40a73a 48161->48165 48166 40a716 48161->48166 48167 40a71d Sleep 48161->48167 48162->48161 48163 40a6f3 GetFileSize 48162->48163 48163->48161 48163->48164 48164->48161 48165->48160 48169 409097 28 API calls 48165->48169 48184 40b117 84 API calls 48166->48184 48167->48164 48170 40a756 48169->48170 48171 40a1b4 124 API calls 48170->48171 48171->48160 48173 41c495 CreateFileW 48172->48173 48175 41c4d2 48173->48175 48176 41c4ce 48173->48176 48177 41c4f2 WriteFile 48175->48177 48178 41c4d9 SetFilePointer 48175->48178 48176->48147 48180 41c505 48177->48180 48181 41c507 CloseHandle 48177->48181 48178->48177 48179 41c4e9 CloseHandle 48178->48179 48179->48176 48180->48181 48181->48176 48182->48157 48183->48157 48184->48167 48187 40322e 48186->48187 48196 403618 48187->48196 48189 40323b 48189->48018 48191 40326e 48190->48191 48192 402252 11 API calls 48191->48192 48193 403288 48192->48193 48194 402336 11 API calls 48193->48194 48195 403031 48194->48195 48195->47595 48197 403626 48196->48197 48198 403644 48197->48198 48199 40362c 48197->48199 48201 40365c 48198->48201 48202 40369e 48198->48202 48207 4036a6 28 API calls 48199->48207 48203 403642 48201->48203 48206 4027e6 28 API calls 48201->48206 48208 4028a4 22 API calls 48202->48208 48203->48189 48206->48203 48207->48203 48210 404186 48209->48210 48211 402252 11 API calls 48210->48211 48212 404191 48211->48212 48220 4041bc 48212->48220 48215 4042fc 48231 404353 48215->48231 48217 40430a 48218 403262 11 API calls 48217->48218 48219 404319 48218->48219 48219->47603 48221 4041c8 48220->48221 48224 4041d9 48221->48224 48223 40419c 48223->48215 48225 4041e9 48224->48225 48226 404206 48225->48226 48227 4041ef 48225->48227 48228 4027e6 28 API calls 48226->48228 48229 404267 28 API calls 48227->48229 48230 404204 48228->48230 48229->48230 48230->48223 48232 40435f 48231->48232 48235 404371 48232->48235 48234 40436d 48234->48217 48236 40437f 48235->48236 48237 404385 48236->48237 48238 40439e 48236->48238 48301 4034e6 28 API calls 48237->48301 48239 402888 22 API calls 48238->48239 48240 4043a6 48239->48240 48242 404419 48240->48242 48243 4043bf 48240->48243 48302 4028a4 22 API calls 48242->48302 48246 4027e6 28 API calls 48243->48246 48254 40439c 48243->48254 48246->48254 48254->48234 48301->48254 48309 43ab1a 48303->48309 48307 4138ca RegSetValueExA RegCloseKey 48306->48307 48308 4138f4 48306->48308 48307->48308 48308->47622 48312 43aa9b 48309->48312 48311 40170d 48311->47620 48313 43aaaa 48312->48313 48314 43aabe 48312->48314 48318 44062d 20 API calls __dosmaperr 48313->48318 48317 43aaaf __alldvrm _strftime 48314->48317 48319 4489d7 11 API calls 2 library calls 48314->48319 48317->48311 48318->48317 48319->48317 48323 41b98a _Yarn ___scrt_get_show_window_mode 48320->48323 48321 402093 28 API calls 48322 414f84 48321->48322 48322->47628 48323->48321 48324->47645 48326 414f33 48325->48326 48327 414f3d getaddrinfo WSASetLastError 48325->48327 48443 414dc1 29 API calls ___std_exception_copy 48326->48443 48327->47688 48329 414f38 48329->48327 48331 404846 socket 48330->48331 48332 404839 48330->48332 48333 404860 CreateEventW 48331->48333 48334 404842 48331->48334 48444 40489e WSAStartup 48332->48444 48333->47688 48334->47688 48336 40483e 48336->48331 48336->48334 48338 404f65 48337->48338 48340 404fea 48337->48340 48339 404f6e 48338->48339 48341 404fc0 CreateEventA CreateThread 48338->48341 48342 404f7d GetLocalTime 48338->48342 48339->48341 48340->47688 48341->48340 48447 405150 48341->48447 48445 41bc1f 28 API calls 48342->48445 48344 404f91 48446 4052fd 28 API calls 48344->48446 48353 404a1b 48352->48353 48354 4048ee 48352->48354 48355 40497e 48353->48355 48356 404a21 WSAGetLastError 48353->48356 48354->48355 48358 40531e 28 API calls 48354->48358 48376 404923 48354->48376 48355->47688 48356->48355 48357 404a31 48356->48357 48359 404a36 48357->48359 48361 404932 48357->48361 48362 40490f 48358->48362 48462 41cb72 30 API calls 48359->48462 48365 402093 28 API calls 48361->48365 48366 402093 28 API calls 48362->48366 48364 40492b 48364->48361 48368 404941 48364->48368 48369 404a80 48365->48369 48370 40491e 48366->48370 48367 404a40 48463 4052fd 28 API calls 48367->48463 48378 404950 48368->48378 48379 404987 48368->48379 48372 402093 28 API calls 48369->48372 48373 41b580 80 API calls 48370->48373 48375 404a8f 48372->48375 48373->48376 48381 41b580 80 API calls 48375->48381 48451 420cf1 27 API calls 48376->48451 48380 402093 28 API calls 48378->48380 48459 421ad1 54 API calls 48379->48459 48384 40495f 48380->48384 48381->48355 48387 402093 28 API calls 48384->48387 48386 40498f 48389 4049c4 48386->48389 48390 404994 48386->48390 48391 40496e 48387->48391 48461 420e97 28 API calls 48389->48461 48394 402093 28 API calls 48390->48394 48395 41b580 80 API calls 48391->48395 48397 4049a3 48394->48397 48398 404973 48395->48398 48396 4049cc 48399 4049f9 CreateEventW CreateEventW 48396->48399 48402 402093 28 API calls 48396->48402 48400 402093 28 API calls 48397->48400 48452 420d31 48398->48452 48399->48355 48401 4049b2 48400->48401 48403 41b580 80 API calls 48401->48403 48405 4049e2 48402->48405 48406 4049b7 48403->48406 48407 402093 28 API calls 48405->48407 48460 421143 52 API calls 48406->48460 48409 4049f1 48407->48409 48410 41b580 80 API calls 48409->48410 48411 4049f6 48410->48411 48411->48399 48413 404e40 SetEvent CloseHandle 48412->48413 48414 404e57 closesocket 48412->48414 48415 404ed8 48413->48415 48416 404e64 48414->48416 48415->47688 48417 404e73 48416->48417 48418 404e7a 48416->48418 48466 4050e4 84 API calls 48417->48466 48420 404e8c WaitForSingleObject 48418->48420 48421 404ece SetEvent CloseHandle 48418->48421 48422 420d31 3 API calls 48420->48422 48421->48415 48423 404e9b SetEvent WaitForSingleObject 48422->48423 48424 420d31 3 API calls 48423->48424 48425 404eb3 SetEvent CloseHandle CloseHandle 48424->48425 48425->48421 48426->47688 48427->47688 48429->47688 48430->47688 48431->47688 48432->47688 48433->47706 48434->47706 48435->47706 48436->47706 48437->47706 48438->47706 48439->47706 48440->47706 48441->47706 48442->47706 48443->48329 48444->48336 48445->48344 48450 40515c 102 API calls 48447->48450 48449 405159 48450->48449 48451->48364 48453 41e7a2 48452->48453 48454 420d39 48452->48454 48455 41e7b0 48453->48455 48464 41d8ec DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48453->48464 48454->48355 48465 41e4d2 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48455->48465 48458 41e7b7 48459->48386 48460->48398 48461->48396 48462->48367 48464->48455 48465->48458 48466->48418 48468->47742 48469->47768 48470->47767 48471->47756 48472->47760 48473->47766 48476 40f7fd 48474->48476 48475 413584 3 API calls 48475->48476 48476->48475 48477 40f82f 48476->48477 48478 40f8a1 48476->48478 48480 40f891 Sleep 48476->48480 48479 409097 28 API calls 48477->48479 48477->48480 48483 41bcef 28 API calls 48477->48483 48490 401f09 11 API calls 48477->48490 48492 402093 28 API calls 48477->48492 48496 4137aa 14 API calls 48477->48496 48507 40d0d1 112 API calls ___scrt_get_show_window_mode 48477->48507 48508 41384f 14 API calls 48477->48508 48481 409097 28 API calls 48478->48481 48479->48477 48480->48476 48484 40f8ac 48481->48484 48483->48477 48485 41bcef 28 API calls 48484->48485 48486 40f8b8 48485->48486 48509 41384f 14 API calls 48486->48509 48489 40f8cb 48491 401f09 11 API calls 48489->48491 48490->48477 48493 40f8d7 48491->48493 48492->48477 48494 402093 28 API calls 48493->48494 48495 40f8e8 48494->48495 48497 4137aa 14 API calls 48495->48497 48496->48477 48498 40f8fb 48497->48498 48510 41288b TerminateProcess WaitForSingleObject 48498->48510 48500 40f903 ExitProcess 48511 412829 62 API calls 48506->48511 48508->48477 48509->48489 48510->48500 48512 42f97e 48513 42f989 48512->48513 48514 42f99d 48513->48514 48516 432f7f 48513->48516 48517 432f8a 48516->48517 48518 432f8e 48516->48518 48517->48514 48520 440f5d 48518->48520 48521 446206 48520->48521 48522 446213 48521->48522 48523 44621e 48521->48523 48533 4461b8 21 API calls 3 library calls 48522->48533 48525 446226 48523->48525 48531 44622f ___crtLCMapStringA 48523->48531 48534 446802 20 API calls _free 48525->48534 48526 446234 48535 44062d 20 API calls __dosmaperr 48526->48535 48527 446259 RtlReAllocateHeap 48530 44621b 48527->48530 48527->48531 48530->48517 48531->48526 48531->48527 48536 443001 7 API calls 2 library calls 48531->48536 48533->48530 48534->48530 48535->48530 48536->48531 48537 426cdc 48542 426d59 send 48537->48542 48543 41e04e 48544 41e063 _Yarn ___scrt_get_show_window_mode 48543->48544 48546 432f55 21 API calls 48544->48546 48556 41e266 48544->48556 48550 41e213 ___scrt_get_show_window_mode 48546->48550 48547 41e277 48548 41e21a 48547->48548 48558 432f55 48547->48558 48550->48548 48551 432f55 21 API calls 48550->48551 48554 41e240 ___scrt_get_show_window_mode 48551->48554 48552 41e2b0 ___scrt_get_show_window_mode 48552->48548 48563 4335db 48552->48563 48554->48548 48555 432f55 21 API calls 48554->48555 48555->48556 48556->48548 48557 41dbf3 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 48556->48557 48557->48547 48559 432f63 48558->48559 48561 432f5f 48558->48561 48560 43bda0 ___std_exception_copy 21 API calls 48559->48560 48562 432f68 48560->48562 48561->48552 48562->48552 48566 4334fa 48563->48566 48565 4335e3 48565->48548 48567 433513 48566->48567 48571 433509 48566->48571 48568 432f55 21 API calls 48567->48568 48567->48571 48569 433534 48568->48569 48569->48571 48572 4338c8 CryptAcquireContextA 48569->48572 48571->48565 48573 4338e4 48572->48573 48574 4338e9 CryptGenRandom 48572->48574 48573->48571 48574->48573 48575 4338fe CryptReleaseContext 48574->48575 48575->48573 48576 426c6d 48582 426d42 recv 48576->48582

                                  Executed Functions

                                  Function 0041CBE1 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                  • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                  • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                  • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                  • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                  • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                  • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                  • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD17
                                  • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040EA1C), ref: 0041CD28
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD2B
                                  • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040EA1C), ref: 0041CD38
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD3B
                                  • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040EA1C), ref: 0041CD48
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD4B
                                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040EA1C), ref: 0041CD5D
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD60
                                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040EA1C), ref: 0041CD6D
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD70
                                  • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040EA1C), ref: 0041CD81
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD84
                                  • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040EA1C), ref: 0041CD95
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CD98
                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmStartSession,?,?,?,?,0040EA1C), ref: 0041CDAA
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDAD
                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040EA1C), ref: 0041CDBA
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDBD
                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040EA1C), ref: 0041CDCA
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDCD
                                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040EA1C), ref: 0041CDDA
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041CDDD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$LibraryLoad$HandleModule
                                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                  • API String ID: 4236061018-3687161714
                                  • Opcode ID: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                  • Instruction ID: 87b5fa294a9840a4da0a94e675c49188b16ea4214af7843bc20054d8537ab592
                                  • Opcode Fuzzy Hash: 6b21e851a0d3a51eeec0044f2aae63c374cf6436741b915ef551e22e35f3a136
                                  • Instruction Fuzzy Hash: 06419AA0E8035879DA107BB65D8DE3B3E5CD9857953614837B05C93550FBBCDC408EAE
                                  Function 0040EA00 Relevance: 67.3, APIs: 15, Strings: 23, Instructions: 795COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 5 40ea00-40ea82 call 41cbe1 GetModuleFileNameW call 40f3fe call 4020f6 * 2 call 41beac call 40fb52 call 401e8d call 43fd50 22 40ea84-40eac9 call 40fbee call 401e65 call 401fab call 410f72 call 40fb9f call 40f3eb 5->22 23 40eace-40eb96 call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->23 48 40ef2d-40ef3e call 401fd8 22->48 69 40eb98-40ebe3 call 406c59 call 401fe2 call 401fd8 call 401fab call 413584 23->69 70 40ebe9-40ec04 call 401e65 call 40b9f8 23->70 69->70 102 40f38a-40f3a5 call 401fab call 4139e4 call 4124b0 69->102 79 40ec06-40ec25 call 401fab call 413584 70->79 80 40ec3e-40ec45 call 40d0a4 70->80 79->80 98 40ec27-40ec3d call 401fab call 4139e4 79->98 90 40ec47-40ec49 80->90 91 40ec4e-40ec55 80->91 96 40ef2c 90->96 92 40ec57 91->92 93 40ec59-40ec65 call 41b354 91->93 92->93 103 40ec67-40ec69 93->103 104 40ec6e-40ec72 93->104 96->48 98->80 124 40f3aa-40f3db call 41bcef call 401f04 call 413a5e call 401f09 * 2 102->124 103->104 107 40ecb1-40ecc4 call 401e65 call 401fab 104->107 108 40ec74 call 407751 104->108 129 40ecc6 call 407790 107->129 130 40eccb-40ed53 call 401e65 call 41bcef call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 107->130 118 40ec79-40ec7b 108->118 121 40ec87-40ec9a call 401e65 call 401fab 118->121 122 40ec7d-40ec82 call 407773 call 40729b 118->122 121->107 141 40ec9c-40eca2 121->141 122->121 157 40f3e0-40f3ea call 40dd7d call 414f65 124->157 129->130 177 40ed55-40ed6e call 401e65 call 401fab call 43bb56 130->177 178 40edbb-40edbf 130->178 141->107 144 40eca4-40ecaa 141->144 144->107 147 40ecac call 40729b 144->147 147->107 177->178 202 40ed70-40edb6 call 401e65 call 401fab call 401e65 call 401fab call 40da6f call 401f13 call 401f09 177->202 179 40ef41-40efa1 call 436f10 call 40247c call 401fab * 2 call 413733 call 409092 178->179 180 40edc5-40edcc 178->180 233 40efa6-40effa call 401e65 call 401fab call 402093 call 401fab call 4137aa call 401e65 call 401fab call 43bb2c 179->233 182 40ee4a-40ee54 call 409092 180->182 183 40edce-40ee48 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40ce34 180->183 192 40ee59-40ee7d call 40247c call 434829 182->192 183->192 213 40ee8c 192->213 214 40ee7f-40ee8a call 436f10 192->214 202->178 217 40ee8e-40eed9 call 401f04 call 43f859 call 40247c call 401fab call 40247c call 401fab call 413982 213->217 214->217 271 40eede-40ef03 call 434832 call 401e65 call 40b9f8 217->271 286 40f017-40f019 233->286 287 40effc 233->287 271->233 288 40ef09-40ef28 call 401e65 call 41bcef call 40f4af 271->288 290 40f01b-40f01d 286->290 291 40f01f 286->291 289 40effe-40f015 call 41ce2c CreateThread 287->289 288->233 306 40ef2a 288->306 294 40f025-40f101 call 402093 * 2 call 41b580 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409e1f call 401e65 call 401fab 289->294 290->289 291->294 344 40f103-40f13a call 43455e call 401e65 call 401fab CreateThread 294->344 345 40f13c 294->345 306->96 347 40f13e-40f156 call 401e65 call 401fab 344->347 345->347 356 40f194-40f1a7 call 401e65 call 401fab 347->356 357 40f158-40f18f call 43455e call 401e65 call 401fab CreateThread 347->357 368 40f207-40f21a call 401e65 call 401fab 356->368 369 40f1a9-40f202 call 401e65 call 401fab call 401e65 call 401fab call 40da23 call 401f13 call 401f09 CreateThread 356->369 357->356 379 40f255-40f279 call 41b69e call 401f13 call 401f09 368->379 380 40f21c-40f250 call 401e65 call 401fab call 401e65 call 401fab call 43bb2c call 40c19d 368->380 369->368 400 40f27b-40f27c SetProcessDEPPolicy 379->400 401 40f27e-40f291 CreateThread 379->401 380->379 400->401 404 40f293-40f29d CreateThread 401->404 405 40f29f-40f2a6 401->405 404->405 408 40f2b4-40f2bb 405->408 409 40f2a8-40f2b2 CreateThread 405->409 412 40f2c9 408->412 413 40f2bd-40f2c0 408->413 409->408 418 40f2ce-40f302 call 402093 call 4052fd call 402093 call 41b580 call 401fd8 412->418 415 40f2c2-40f2c7 413->415 416 40f307-40f31a call 401fab call 41353a 413->416 415->418 426 40f31f-40f322 416->426 418->416 426->157 428 40f328-40f368 call 41bcef call 401f04 call 413656 call 401f09 call 401f04 426->428 443 40f381-40f386 DeleteFileW 428->443 444 40f388 443->444 445 40f36a-40f36d 443->445 444->124 445->124 446 40f36f-40f37c Sleep call 401f04 445->446 446->443
                                  APIs
                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CBF6
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CBFF
                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040EA1C), ref: 0041CC16
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC19
                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC2B
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC2E
                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040EA1C), ref: 0041CC3F
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC42
                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040EA1C), ref: 0041CC54
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC57
                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040EA1C), ref: 0041CC63
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC66
                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040EA1C), ref: 0041CC77
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC7A
                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040EA1C), ref: 0041CC8B
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CC8E
                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040EA1C), ref: 0041CC9F
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCA2
                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040EA1C), ref: 0041CCB3
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCB6
                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040EA1C), ref: 0041CCC7
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCCA
                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040EA1C), ref: 0041CCDB
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCDE
                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040EA1C), ref: 0041CCEF
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CCF2
                                    • Part of subcall function 0041CBE1: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040EA1C), ref: 0041CD03
                                    • Part of subcall function 0041CBE1: GetProcAddress.KERNEL32(00000000), ref: 0041CD06
                                    • Part of subcall function 0041CBE1: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040EA1C), ref: 0041CD14
                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe,00000104), ref: 0040EA29
                                    • Part of subcall function 00410F72: __EH_prolog.LIBCMT ref: 00410F77
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                  • String ID: SG$ SG$,aF$,aF$8SG$8SG$Access Level: $Administrator$C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe$Exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$pW
                                  • API String ID: 2830904901-2751194028
                                  • Opcode ID: 49431b8dd783423accf16740c7d71729371280868a66773ebf6fb8fdb646c024
                                  • Instruction ID: f870588dacc207cf398a21a9077505b2b75b96970711a81e27f166ce8512e3fa
                                  • Opcode Fuzzy Hash: 49431b8dd783423accf16740c7d71729371280868a66773ebf6fb8fdb646c024
                                  • Instruction Fuzzy Hash: 9B32F960B043412BDA24B7729C57B7E26994F80748F50483FB9467B2E3EEBC8D45839E
                                  Function 0040A2F3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 63windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1277 40a2f3-40a30a 1278 40a30c-40a326 SetWindowsHookExA 1277->1278 1279 40a36e-40a37e GetMessageA 1277->1279 1278->1279 1284 40a328-40a36c GetLastError call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1278->1284 1280 40a380-40a398 TranslateMessage DispatchMessageA 1279->1280 1281 40a39a 1279->1281 1280->1279 1280->1281 1282 40a39c-40a3a1 1281->1282 1284->1282
                                  APIs
                                  • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A30E
                                  • SetWindowsHookExA.USER32(0000000D,0040A2DF,00000000), ref: 0040A31C
                                  • GetLastError.KERNEL32 ref: 0040A328
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A376
                                  • TranslateMessage.USER32(?), ref: 0040A385
                                  • DispatchMessageA.USER32(?), ref: 0040A390
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                  • String ID: Keylogger initialization failure: error $`#v
                                  • API String ID: 3219506041-3226811161
                                  • Opcode ID: 90b0715fe4a03c7950091ea493cf6ac8be3b9c9bd1286eec6a190886210d1988
                                  • Instruction ID: 8743f2250fb8cae6a99ae5fb3d4b34fe2baf279f6720e4878f05ffc9670b3ffc
                                  • Opcode Fuzzy Hash: 90b0715fe4a03c7950091ea493cf6ac8be3b9c9bd1286eec6a190886210d1988
                                  • Instruction Fuzzy Hash: 6011BF31510301EBC710BB769D0986B77ACEA95715B20097EFC82E22D1EB34C910CBAA
                                  Function 0040F7E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                    • Part of subcall function 00413584: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                    • Part of subcall function 00413584: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                    • Part of subcall function 00413584: RegCloseKey.KERNEL32(?), ref: 004135CD
                                  • Sleep.KERNEL32(00000BB8), ref: 0040F896
                                  • ExitProcess.KERNEL32 ref: 0040F905
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseExitOpenProcessQuerySleepValue
                                  • String ID: 5.1.2 Pro$override$pth_unenc
                                  • API String ID: 2281282204-3554326054
                                  • Opcode ID: 63a879446c8ff419ef4e70c844bd481c765728b91b26e4cfc9b1ce748e39a5f9
                                  • Instruction ID: d275b5d15c9ff05a0ec0da3c9587874d7690dc7fa5d0ec02d6e8a4ede61593ab
                                  • Opcode Fuzzy Hash: 63a879446c8ff419ef4e70c844bd481c765728b91b26e4cfc9b1ce748e39a5f9
                                  • Instruction Fuzzy Hash: 5921E171B0420127D6087676885B6AE399A9B80708F50453FF409672D7FF7C8E0483AF
                                  Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1427 404f51-404f5f 1428 404f65-404f6c 1427->1428 1429 404fea 1427->1429 1430 404f74-404f7b 1428->1430 1431 404f6e-404f72 1428->1431 1432 404fec-404ff1 1429->1432 1433 404fc0-404fe8 CreateEventA CreateThread 1430->1433 1434 404f7d-404fbb GetLocalTime call 41bc1f call 4052fd call 402093 call 41b580 call 401fd8 1430->1434 1431->1433 1433->1432 1434->1433
                                  APIs
                                  • GetLocalTime.KERNEL32(?), ref: 00404F81
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                  • CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                  Strings
                                  • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Create$EventLocalThreadTime
                                  • String ID: KeepAlive | Enabled | Timeout:
                                  • API String ID: 2532271599-1507639952
                                  • Opcode ID: d6bdf093f7aea2e5024bc4ba9810f3b5686ab9589db354a71a8a5fd0b8ad62b9
                                  • Instruction ID: 41fa32a9fb91b1633a7afb8999ae97baef60c60c8d6252053b050d354fdafbcf
                                  • Opcode Fuzzy Hash: d6bdf093f7aea2e5024bc4ba9810f3b5686ab9589db354a71a8a5fd0b8ad62b9
                                  • Instruction Fuzzy Hash: 82110A71800385BAC720A7779C0DEAB7FACDBD2714F04046FF54162291D6B89445CBBA
                                  Function 0041B69E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetComputerNameExW.KERNEL32(00000001,?,0000002B,pW), ref: 0041B6BB
                                  • GetUserNameW.ADVAPI32(?,0040F25E), ref: 0041B6D3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Name$ComputerUser
                                  • String ID: pW
                                  • API String ID: 4229901323-3683314483
                                  • Opcode ID: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                  • Instruction ID: 8360233331794fbd8bccde093e114755ab2a7c2896376219b9d5f45c8fb32f7b
                                  • Opcode Fuzzy Hash: 2a75debd1ac83804218ef8ff91a3dd31c7e5d47f43b5da7d436b4f8c80832694
                                  • Instruction Fuzzy Hash: 90014F7190011CABCB01EBD1DC45EEDB7BCAF44309F10016AB505B21A1EFB46E88CBA8
                                  Function 004338C8 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00433550,00000034,?,?,00589630), ref: 004338DA
                                  • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000), ref: 004338F0
                                  • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,004335E3,00000000,?,00000000,0041E2E2), ref: 00433902
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Crypt$Context$AcquireRandomRelease
                                  • String ID:
                                  • API String ID: 1815803762-0
                                  • Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                  • Instruction ID: d68cd6f5f98cbfa2ab0450769c499d20ea76a36e668e3df749659bd42d9a4b78
                                  • Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
                                  • Instruction Fuzzy Hash: 40E09A31208310FBEB301F21AC08F573AA5EF89B66F200A3AF256E40E4D6A68801965C
                                  Function 00426D42 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: recv
                                  • String ID:
                                  • API String ID: 1507349165-0
                                  • Opcode ID: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                  • Instruction ID: c63eaffdb417a6470c671315a396a42075a312041b5b8b5670d44767818a4bbd
                                  • Opcode Fuzzy Hash: f4db5bd4806bc66e377c48788e3214861744c877e7cd4eb35e6567da0e63c1ec
                                  • Instruction Fuzzy Hash: 26B09279108202FFCA150B60CC0886ABEA6ABC8382B00882DB586411B0C736C851AB26
                                  Function 00414F65 Relevance: 48.1, APIs: 5, Strings: 22, Instructions: 809sleepnetworkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 448 414f65-414fad call 4020df call 41b944 call 4020df call 401e65 call 401fab call 43bb2c 461 414fbc-415008 call 402093 call 401e65 call 4020f6 call 41beac call 40489e call 401e65 call 40b9f8 448->461 462 414faf-414fb6 Sleep 448->462 477 41500a-415079 call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->477 478 41507c-415117 call 402093 call 401e65 call 4020f6 call 41beac call 401e65 * 2 call 406c59 call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->478 462->461 477->478 531 415127-41512e 478->531 532 415119-415125 478->532 533 415133-4151c5 call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414f24 531->533 532->533 560 415210-41521e call 40482d 533->560 561 4151c7-41520b WSAGetLastError call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 533->561 566 415220-415246 call 402093 * 2 call 41b580 560->566 567 41524b-415259 call 404f51 call 4048c8 560->567 584 415ade-415af0 call 404e26 call 4021fa 561->584 566->584 580 41525e-415260 567->580 583 415266-4153b9 call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b580 call 401fd8 * 4 call 41b871 call 4145f8 call 409097 call 441ed1 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 413733 580->583 580->584 648 4153bb-4153c8 call 405aa6 583->648 649 4153cd-4153f4 call 401fab call 4135e1 583->649 597 415af2-415b12 call 401e65 call 401fab call 43bb2c Sleep 584->597 598 415b18-415b20 call 401e8d 584->598 597->598 598->478 648->649 655 4153f6-4153f8 649->655 656 4153fb-415a51 call 40417e call 40ddc4 call 41bcd3 call 41bdaf call 41bc1f call 401e65 GetTickCount call 41bc1f call 41bb77 call 41bc1f * 2 call 41bb27 call 41bdaf * 5 call 40f90c call 41bdaf call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 649->656 655->656 902 415a53-415a5a 656->902 903 415a65-415a6c 656->903 902->903 904 415a5c-415a5e 902->904 905 415a78-415aaa call 405a6b call 402093 * 2 call 41b580 903->905 906 415a6e-415a73 call 40b08c 903->906 904->903 917 415aac-415ab8 CreateThread 905->917 918 415abe-415ad9 call 401fd8 * 2 call 401f09 905->918 906->905 917->918 918->584
                                  APIs
                                  • Sleep.KERNEL32(00000000,00000029,004752F0,pW,00000000), ref: 00414FB6
                                  • WSAGetLastError.WS2_32(00000000,00000001), ref: 004151C7
                                  • Sleep.KERNEL32(00000000,00000002), ref: 00415B12
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep$ErrorLastLocalTime
                                  • String ID: | $%I64u$,aF$5.1.2 Pro$8SG$8jY$C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$PSG$TLS Off$TLS On $dMG$hlight$name$pW$NG$NG
                                  • API String ID: 524882891-1874285303
                                  • Opcode ID: 17b944b1b835277ad5605e6f7f563df8fce4a85f4fa63bc7f229c9f4c273a99b
                                  • Instruction ID: 9dea7478a43989413a8a7de35667e348ffff56bc780dedce428272fd6db975fd
                                  • Opcode Fuzzy Hash: 17b944b1b835277ad5605e6f7f563df8fce4a85f4fa63bc7f229c9f4c273a99b
                                  • Instruction Fuzzy Hash: B8526C31A001155ACB18F732DD96AFEB3769F90348F5044BFE40A761E2EF781E858A9D
                                  Function 0040A761 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • Sleep.KERNEL32(00001388), ref: 0040A77B
                                    • Part of subcall function 0040A6B0: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                    • Part of subcall function 0040A6B0: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                    • Part of subcall function 0040A6B0: Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                    • Part of subcall function 0040A6B0: CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A7B7
                                  • GetFileAttributesW.KERNEL32(00000000), ref: 0040A7C8
                                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7DF
                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A859
                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                  • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466478,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A962
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                  • String ID: 8SG$8SG$pQG$pQG$pW$xdF
                                  • API String ID: 3795512280-3242551868
                                  • Opcode ID: db686e10471e88e88e6c2a6410797b3bbe7a67903047043a717f9aa792139144
                                  • Instruction ID: 2a79d88b44a8fc0b04dcb000ea34af81e4c48788ca5147296d011aa32960a087
                                  • Opcode Fuzzy Hash: db686e10471e88e88e6c2a6410797b3bbe7a67903047043a717f9aa792139144
                                  • Instruction Fuzzy Hash: B6516E716043015ACB15BB72C866ABE77AA9F80349F00483FF646B71E2DF7C9D09865E
                                  Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1023 4048c8-4048e8 connect 1024 404a1b-404a1f 1023->1024 1025 4048ee-4048f1 1023->1025 1028 404a21-404a2f WSAGetLastError 1024->1028 1029 404a97 1024->1029 1026 404a17-404a19 1025->1026 1027 4048f7-4048fa 1025->1027 1030 404a99-404a9e 1026->1030 1031 404926-404930 call 420cf1 1027->1031 1032 4048fc-404923 call 40531e call 402093 call 41b580 1027->1032 1028->1029 1033 404a31-404a34 1028->1033 1029->1030 1045 404941-40494e call 420f20 1031->1045 1046 404932-40493c 1031->1046 1032->1031 1035 404a71-404a76 1033->1035 1036 404a36-404a6f call 41cb72 call 4052fd call 402093 call 41b580 call 401fd8 1033->1036 1038 404a7b-404a94 call 402093 * 2 call 41b580 1035->1038 1036->1029 1038->1029 1058 404950-404973 call 402093 * 2 call 41b580 1045->1058 1059 404987-404992 call 421ad1 1045->1059 1046->1038 1085 404976-404982 call 420d31 1058->1085 1070 4049c4-4049d1 call 420e97 1059->1070 1071 404994-4049c2 call 402093 * 2 call 41b580 call 421143 1059->1071 1081 4049d3-4049f6 call 402093 * 2 call 41b580 1070->1081 1082 4049f9-404a14 CreateEventW * 2 1070->1082 1071->1085 1081->1082 1082->1026 1085->1029
                                  APIs
                                  • connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                  • WSAGetLastError.WS2_32 ref: 00404A21
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                  • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                  • API String ID: 994465650-2151626615
                                  • Opcode ID: 7adcd97a12df77eb00c978c8fa497ed471b838c2edee9eb12bf68db0be483499
                                  • Instruction ID: 8b7d3ad86a52f8452b0ebae4faff6649d271d562dba2871a89d137605d3bb54b
                                  • Opcode Fuzzy Hash: 7adcd97a12df77eb00c978c8fa497ed471b838c2edee9eb12bf68db0be483499
                                  • Instruction Fuzzy Hash: CE41E8B57506017BC61877BB890B52E7A56AB81308B50017FEA0256AD3FA7D9C108BEF
                                  Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                  • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                  • closesocket.WS2_32(000000FF), ref: 00404E5A
                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                  • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                  • String ID:
                                  • API String ID: 3658366068-0
                                  • Opcode ID: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                  • Instruction ID: 681aebbacbf541c1c6cd6dfca6fba55586e42b113d9ea1c0d4e3a90daa9851ad
                                  • Opcode Fuzzy Hash: 6e2d3047bbcd54dd6fb538b66de187a0499e62ad67d4cfb628094cbec65cae59
                                  • Instruction Fuzzy Hash: DE21EA71154B04AFDB216B26DC49B1BBBA1FF40326F104A2DE2E211AF1CB79B851DB58
                                  Function 0040AD11 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • __Init_thread_footer.LIBCMT ref: 0040AD73
                                  • Sleep.KERNEL32(000001F4), ref: 0040AD7E
                                  • GetForegroundWindow.USER32 ref: 0040AD84
                                  • GetWindowTextLengthW.USER32(00000000), ref: 0040AD8D
                                  • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040ADC1
                                  • Sleep.KERNEL32(000003E8), ref: 0040AE8F
                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                  • String ID: [${ User has been idle for $ minutes }$]
                                  • API String ID: 911427763-3954389425
                                  • Opcode ID: 9c0ea1497b002db213ca3d4c258de7d47da5450525101b72f9826710761d16ec
                                  • Instruction ID: 479ab846abdc3ffa357cf8cfb056c4a9d7a1c57035fbb5610920680a3dc8d5cf
                                  • Opcode Fuzzy Hash: 9c0ea1497b002db213ca3d4c258de7d47da5450525101b72f9826710761d16ec
                                  • Instruction Fuzzy Hash: 1251E2716043419BD714FB22D856AAE7795AF84308F10093FF986A22E2EF7C9D44C69F
                                  Function 0040DA6F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1195 40da6f-40da94 call 401f86 1198 40da9a 1195->1198 1199 40dbbe-40dbe4 call 401f04 GetLongPathNameW call 40417e 1195->1199 1200 40dae0-40dae7 call 41c048 1198->1200 1201 40daa1-40daa6 1198->1201 1202 40db93-40db98 1198->1202 1203 40dad6-40dadb 1198->1203 1204 40dba9 1198->1204 1205 40db9a-40db9f call 43c11f 1198->1205 1206 40daab-40dab9 call 41b645 call 401f13 1198->1206 1207 40dacc-40dad1 1198->1207 1208 40db8c-40db91 1198->1208 1220 40dbe9-40dc56 call 40417e call 40de0c call 402fa5 * 2 call 401f09 * 5 1199->1220 1221 40dae9-40db39 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1200->1221 1222 40db3b-40db87 call 40417e call 43c11f call 40417e call 402fa5 call 401f13 call 401f09 * 2 1200->1222 1210 40dbae-40dbb3 call 43c11f 1201->1210 1202->1210 1203->1210 1204->1210 1217 40dba4-40dba7 1205->1217 1229 40dabe 1206->1229 1207->1210 1208->1210 1223 40dbb4-40dbb9 call 409092 1210->1223 1217->1204 1217->1223 1234 40dac2-40dac7 call 401f09 1221->1234 1222->1229 1223->1199 1229->1234 1234->1199
                                  APIs
                                  • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040DBD5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LongNamePath
                                  • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                  • API String ID: 82841172-425784914
                                  • Opcode ID: 27b408779815cc004e99ecfd0e182e1062e96e4c42aa95a1860903710c88a7ad
                                  • Instruction ID: db29472287e64cad03ac4489520097095d7cef5d056ecb8d0020da3553efca3c
                                  • Opcode Fuzzy Hash: 27b408779815cc004e99ecfd0e182e1062e96e4c42aa95a1860903710c88a7ad
                                  • Instruction Fuzzy Hash: 0A4151715082019AC205F765DC96CAAB7B8AE90758F10053FB146B20E2FFBCAE4DC65B
                                  Function 0041B354 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 61COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1295 41b354-41b3ab call 41c048 call 4135e1 call 401fe2 call 401fd8 call 406b1c 1306 41b3ad-41b3bc call 4135e1 1295->1306 1307 41b3ee-41b3f7 1295->1307 1312 41b3c1-41b3d8 call 401fab StrToIntA 1306->1312 1308 41b400 1307->1308 1309 41b3f9-41b3fe 1307->1309 1311 41b405-41b410 call 40537d 1308->1311 1309->1311 1317 41b3e6-41b3e9 call 401fd8 1312->1317 1318 41b3da-41b3e3 call 41cffa 1312->1318 1317->1307 1318->1317
                                  APIs
                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                    • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                    • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                    • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                    • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                  • StrToIntA.SHLWAPI(00000000,0046CA08,00000000,00000000,00000000,pW,00000003,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0041B3CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseCurrentOpenQueryValueWow64
                                  • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion$pW
                                  • API String ID: 782494840-4143314178
                                  • Opcode ID: 8c19a994082f4321bdc384a8b48a1832129d6d8eaa349cc43c026258e8294c9e
                                  • Instruction ID: f33cb4008a08c387480eb48f471200dcc92f04aa72c22424ac0a9b44a4c1d04d
                                  • Opcode Fuzzy Hash: 8c19a994082f4321bdc384a8b48a1832129d6d8eaa349cc43c026258e8294c9e
                                  • Instruction Fuzzy Hash: 8811C47064014926C704B7658C97EFE76198790344F94413BF806A61D3FB6C598683EE
                                  Function 0041C482 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1322 41c482-41c493 1323 41c495-41c498 1322->1323 1324 41c4ab-41c4b2 1322->1324 1326 41c4a1-41c4a9 1323->1326 1327 41c49a-41c49f 1323->1327 1325 41c4b3-41c4cc CreateFileW 1324->1325 1328 41c4d2-41c4d7 1325->1328 1329 41c4ce-41c4d0 1325->1329 1326->1325 1327->1325 1331 41c4f2-41c503 WriteFile 1328->1331 1332 41c4d9-41c4e7 SetFilePointer 1328->1332 1330 41c510-41c515 1329->1330 1334 41c505 1331->1334 1335 41c507-41c50e CloseHandle 1331->1335 1332->1331 1333 41c4e9-41c4f0 CloseHandle 1332->1333 1333->1329 1334->1335 1335->1330
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C4DE
                                  • CloseHandle.KERNEL32(00000000), ref: 0041C4EA
                                  • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4FB
                                  • CloseHandle.KERNEL32(00000000), ref: 0041C508
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseHandle$CreatePointerWrite
                                  • String ID: xpF
                                  • API String ID: 1852769593-354647465
                                  • Opcode ID: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                  • Instruction ID: 0233a984b642d2e84dd4fc2cab076f06cd7f632185dc4648213adf39284592b7
                                  • Opcode Fuzzy Hash: 03b5af7f289a82a83928ea742180afc1da621273c2f808e1c0dcbcf6c59c1bfa
                                  • Instruction Fuzzy Hash: 6311E571288215BFE7104A24ACC8EBB739CEB46365F10862BF912D22D0C624DC418639
                                  Function 0040A6B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1383 40a6b0-40a6c0 1384 40a6c6-40a6c8 1383->1384 1385 40a75d-40a760 1383->1385 1386 40a6cb-40a6f1 call 401f04 CreateFileW 1384->1386 1389 40a731 1386->1389 1390 40a6f3-40a701 GetFileSize 1386->1390 1391 40a734-40a738 1389->1391 1392 40a703 1390->1392 1393 40a728-40a72f CloseHandle 1390->1393 1391->1386 1394 40a73a-40a73d 1391->1394 1395 40a705-40a70b 1392->1395 1396 40a70d-40a714 1392->1396 1393->1391 1394->1385 1397 40a73f-40a746 1394->1397 1395->1393 1395->1396 1398 40a716-40a718 call 40b117 1396->1398 1399 40a71d-40a722 Sleep 1396->1399 1397->1385 1400 40a748-40a758 call 409097 call 40a1b4 1397->1400 1398->1399 1399->1393 1400->1385
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A788), ref: 0040A6E6
                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A788), ref: 0040A6F5
                                  • Sleep.KERNEL32(00002710,?,?,?,0040A788), ref: 0040A722
                                  • CloseHandle.KERNEL32(00000000,?,?,?,0040A788), ref: 0040A729
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleSizeSleep
                                  • String ID: XQG
                                  • API String ID: 1958988193-3606453820
                                  • Opcode ID: 28ce54e323a61a7c7e3df4bf156f69a9efcaf564c436a4257aa778de296e5956
                                  • Instruction ID: fa029248b1ac628aedb802b18ed81a98d1a4018e107c0b234daa3009ae89debe
                                  • Opcode Fuzzy Hash: 28ce54e323a61a7c7e3df4bf156f69a9efcaf564c436a4257aa778de296e5956
                                  • Instruction Fuzzy Hash: 96110130600740AADA31A734988961F7BA9DB45356F44483EF1866B6D3C67DDC64C71F
                                  Function 0040A1B4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • CreateThread.KERNEL32(00000000,00000000,0040A2B8,?,00000000,00000000), ref: 0040A239
                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040A249
                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040A255
                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread$LocalTimewsprintf
                                  • String ID: Offline Keylogger Started
                                  • API String ID: 465354869-4114347211
                                  • Opcode ID: c7934c326ef2b1dcecdff176d04098d35d6efa8e09e0995c368ff86506386951
                                  • Instruction ID: fa9a7328340dc7f48b0d085764b542104813bfc3ea66268f7111ac5d0199d402
                                  • Opcode Fuzzy Hash: c7934c326ef2b1dcecdff176d04098d35d6efa8e09e0995c368ff86506386951
                                  • Instruction Fuzzy Hash: 1111ABB12003187ED210BB368C87CBB765DDA4139CB40057FF946221C2EA795D14CAFB
                                  Function 004137AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                  • RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.2 Pro), ref: 004137E1
                                  • RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.2 Pro), ref: 004137EC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateValue
                                  • String ID: pth_unenc
                                  • API String ID: 1818849710-4028850238
                                  • Opcode ID: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                                  • Instruction ID: b09b06e14e5a963f4ed757ac8f346f2723baee7be417271cc0de3610a50c6458
                                  • Opcode Fuzzy Hash: 04dffd27395d5cb7a301fd27aaace46d1b2beb75a59ed872a5e7c8f8e25a915c
                                  • Instruction Fuzzy Hash: A4F06272500218FBDF00AFA1DC45DEA376CEF04751F108566FD1AA61A1DB359E14DB54
                                  Function 00414F24 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,pW,00000000,004151C3,00000000,00000001), ref: 00414F46
                                  • WSASetLastError.WS2_32(00000000), ref: 00414F4B
                                    • Part of subcall function 00414DC1: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                    • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414E52
                                    • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                    • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                    • Part of subcall function 00414DC1: LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                    • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                    • Part of subcall function 00414DC1: FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                    • Part of subcall function 00414DC1: GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                  • String ID: pW
                                  • API String ID: 1170566393-3683314483
                                  • Opcode ID: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                  • Instruction ID: 64a5677b7ab27dcaa32d5743096e05a6e92bfc5102e3e8065abb212a99eff034
                                  • Opcode Fuzzy Hash: 63e6a57adcb3e9d376df8b1f7a36805de8af56205c6b0d3f673684859221182d
                                  • Instruction Fuzzy Hash: 23D017322005316BD320A769AC00AEBAA9EDFD6760B12003BBD08D2251DA949C8286E8
                                  Function 0040D0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC43,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660CC,00000003,00000000), ref: 0040D0B3
                                  • GetLastError.KERNEL32 ref: 0040D0BE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateErrorLastMutex
                                  • String ID: SG
                                  • API String ID: 1925916568-3189917014
                                  • Opcode ID: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                  • Instruction ID: 57749e379dff282fb0cfe370275dd79dddcb706c5168e3a31171962593876721
                                  • Opcode Fuzzy Hash: eabddf02165d7cb7ab60b975d5c9d75332e346c4e6257b5baf50d4a4f7034b19
                                  • Instruction Fuzzy Hash: 0DD012B0605700EBDB186770ED5975839559744702F40487AB50FD99F1CBBC88908519
                                  Function 004135E1 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                  • RegCloseKey.KERNEL32(?), ref: 0041362D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 3677997916-0
                                  • Opcode ID: e5c88bf4778b1a12960ae4c3b265923e79f6a7b3b3cce25859afcc872f091df0
                                  • Instruction ID: 0661f39b514c0023b6096d8878825bbc81d19e8e8981dfb5b132c5fecbfe39b6
                                  • Opcode Fuzzy Hash: e5c88bf4778b1a12960ae4c3b265923e79f6a7b3b3cce25859afcc872f091df0
                                  • Instruction Fuzzy Hash: 4A01D676900228FBCB209B91DC08DEF7F7DDB44B51F004066BB05A2240DA748E45DBA4
                                  Function 00413584 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004135A4
                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004752F0), ref: 004135C2
                                  • RegCloseKey.KERNEL32(?), ref: 004135CD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 3677997916-0
                                  • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                  • Instruction ID: 3ea041f737baa467864e73cd7e114674dd940ed34319bd14b5ec79364d8ab256
                                  • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                  • Instruction Fuzzy Hash: 39F01D76900218FFDF109FA09C45FEE7BBDEB04B11F1044A5BA04E6191D6359F549B94
                                  Function 0041353A Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C1D7,00466C58), ref: 00413551
                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040C1D7,00466C58), ref: 00413565
                                  • RegCloseKey.KERNEL32(?,?,?,0040C1D7,00466C58), ref: 00413570
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID:
                                  • API String ID: 3677997916-0
                                  • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                  • Instruction ID: 960a54a16a1ccd4152458ec6927d20d37e2092670a33f2d7c306b576a706ad25
                                  • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                  • Instruction Fuzzy Hash: 23E06532801238FBDF204FA29C0DDEB7F6CDF06BA1B000155BD0CA1111D2258E50E6E4
                                  Function 004138B2 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                  • RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                  • RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateValue
                                  • String ID:
                                  • API String ID: 1818849710-0
                                  • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                  • Instruction ID: 04d77b696783773a8a307df6842786532c8303179302b097fa31242bc3118ae5
                                  • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                  • Instruction Fuzzy Hash: 1EE06D72500318FBDF109FA0DC06FEA7BACEF04B62F104565BF09A6191D6358E14E7A8
                                  Function 00409E1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _wcslen
                                  • String ID: pQG
                                  • API String ID: 176396367-3769108836
                                  • Opcode ID: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                  • Instruction ID: e26466b944e621eef81fbe5db30e3e3b172770e45cde188e8c087a2518f8d89f
                                  • Opcode Fuzzy Hash: 2909f1be4624e20aefd95f70af1697863fb55ab0ff45cf84c0a49d4b96723009
                                  • Instruction Fuzzy Hash: 631181319002059BCB15EF66E852AEF7BB4AF54314B10413FF446A62E2EF78AD15CB98
                                  Function 00446206 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00446227
                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                  • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,00432F93,00000000,0000000F,0042F99D,?,?,00431A44,?,?,00000000), ref: 00446263
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap$_free
                                  • String ID:
                                  • API String ID: 1482568997-0
                                  • Opcode ID: b10fa1e8472e683284d1f6c52ed4eb802d80ccb8cfc65d6c0dd02300a023487f
                                  • Instruction ID: 528349031ecf72c594af6ac828cc426c74ce8c7b4bfa82022820746e0f177899
                                  • Opcode Fuzzy Hash: b10fa1e8472e683284d1f6c52ed4eb802d80ccb8cfc65d6c0dd02300a023487f
                                  • Instruction Fuzzy Hash: 4CF0283110121176BB213B266C01B6B3759AF83B70B1700ABFC1466281CFBCCC41406F
                                  Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                    • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateEventStartupsocket
                                  • String ID:
                                  • API String ID: 1953588214-0
                                  • Opcode ID: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                  • Instruction ID: ed99eca956a2b7a9b5891d615cc725ddac26720bb1770143763ad27df005c20f
                                  • Opcode Fuzzy Hash: 1e452a305f2f2717745e8e1604374189d9659e6cad2ea1bb393ee33250cb33e3
                                  • Instruction Fuzzy Hash: 760171B1408B809ED7359F38A8456877FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                  Function 004461B8 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                  • Instruction ID: 139fbca062bb8bf671a891d82c3cf8fc988f9ce198a1a8b78c24da0334343556
                                  • Opcode Fuzzy Hash: 9dc7fa543976cc1aa64452a14dec52ea5ded8d4e1ebcbf177ce858167d1c4c1d
                                  • Instruction Fuzzy Hash: CEE0E531A0021267F6312A269C01B5B76599B437A0F170137AD15922D2CE6CCD0181EF
                                  Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startup
                                  • String ID:
                                  • API String ID: 724789610-0
                                  • Opcode ID: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                  • Instruction ID: 97c3e6bab4f4407137ad71e204409d8be70fba83985c90e8682379c152a4c00d
                                  • Opcode Fuzzy Hash: e47b679f8b5f7a60eca2a032b66c8256c268ab46ab34190103e4171c6a1e128b
                                  • Instruction Fuzzy Hash: 92D0123255C70C8EE620ABB4AD0F8A4775CC317616F0007BA6CB5836D3E6405B1DC2AB
                                  Function 00426D59 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: send
                                  • String ID:
                                  • API String ID: 2809346765-0
                                  • Opcode ID: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                  • Instruction ID: 21703143275c54c82102de5c78eddca0fb0a16d203a0de67c7bd570fb3111ac2
                                  • Opcode Fuzzy Hash: b9ca0b0eaa02557cb4d56b342a6254bf92ad90fc72112118e0a601f448bbd0ca
                                  • Instruction Fuzzy Hash: 87B09B75108301FFD6150760CC0486A7D6597C8341F00491C718741170C635C8515725

                                  Non-executed Functions

                                  Function 00407CD2 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 835filesleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetEvent.KERNEL32(?,?), ref: 00407CF4
                                  • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407DC2
                                  • DeleteFileW.KERNEL32(00000000), ref: 00407DE4
                                    • Part of subcall function 0041C322: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                    • Part of subcall function 0041C322: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                    • Part of subcall function 0041C322: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                    • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                    • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004081D2
                                  • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004082B3
                                  • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084FF
                                  • DeleteFileA.KERNEL32(?), ref: 0040868D
                                    • Part of subcall function 00408847: __EH_prolog.LIBCMT ref: 0040884C
                                    • Part of subcall function 00408847: FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                    • Part of subcall function 00408847: __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                    • Part of subcall function 00408847: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                  • Sleep.KERNEL32(000007D0), ref: 00408733
                                  • StrToIntA.SHLWAPI(00000000,00000000), ref: 00408775
                                    • Part of subcall function 0041CA73: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                                  • String ID: (PG$(aF$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
                                  • API String ID: 1067849700-414524693
                                  • Opcode ID: fc876e41b72d509e8154fd9ee22d13ec532505f20f9aff529124cedb1fde61f5
                                  • Instruction ID: f533dcafa702064eae222fc9ff54aa9327b172b3479e3db69e1c842a3252ef64
                                  • Opcode Fuzzy Hash: fc876e41b72d509e8154fd9ee22d13ec532505f20f9aff529124cedb1fde61f5
                                  • Instruction Fuzzy Hash: F04293716043016BC604FB76C9579AE77A9AF91348F80483FF542671E2EF7C9908879B
                                  Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __Init_thread_footer.LIBCMT ref: 004056E6
                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                  • __Init_thread_footer.LIBCMT ref: 00405723
                                  • CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660CC,00000000), ref: 004057B6
                                  • CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
                                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
                                  • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
                                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
                                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9
                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90,004660D0,00000062,004660B4), ref: 004059E4
                                  • Sleep.KERNEL32(00000064,00000062,004660B4), ref: 004059FE
                                  • TerminateProcess.KERNEL32(00000000), ref: 00405A17
                                  • CloseHandle.KERNEL32 ref: 00405A23
                                  • CloseHandle.KERNEL32 ref: 00405A2B
                                  • CloseHandle.KERNEL32 ref: 00405A3D
                                  • CloseHandle.KERNEL32 ref: 00405A45
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                  • String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
                                  • API String ID: 2994406822-18413064
                                  • Opcode ID: 8a058daa5e87d3f182b44868b89da68c74a294f22d62ea2036980ae8ede20df6
                                  • Instruction ID: feb7c3e087fbbfe745e3798ef664df189eb35a760580a6c3fca7c2e5343dee52
                                  • Opcode Fuzzy Hash: 8a058daa5e87d3f182b44868b89da68c74a294f22d62ea2036980ae8ede20df6
                                  • Instruction Fuzzy Hash: 1A91C271604604AFD711FB36ED42A6B369AEB84308F01443FF589A62E2DB7D9C448F6D
                                  Function 00412132 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcessId.KERNEL32 ref: 00412141
                                    • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                    • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                    • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                  • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00412181
                                  • CloseHandle.KERNEL32(00000000), ref: 00412190
                                  • CreateThread.KERNEL32(00000000,00000000,00412829,00000000,00000000,00000000), ref: 004121E6
                                  • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00412455
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                                  • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                  • API String ID: 3018269243-13974260
                                  • Opcode ID: 0bc6abb93a007a62e155aad46a945be6e257eeb2644a433d62495adb5594a49a
                                  • Instruction ID: f1b014459f2de55ad39b9ce4e2eab06dd530905b6b6ad57ecd0cf2e75cce6712
                                  • Opcode Fuzzy Hash: 0bc6abb93a007a62e155aad46a945be6e257eeb2644a433d62495adb5594a49a
                                  • Instruction Fuzzy Hash: B971A23160430167C614FB72CD579AE77A4AE94308F40097FF586A21E2FFBC9A49C69E
                                  Function 0040BB6B Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBEA
                                  • FindClose.KERNEL32(00000000), ref: 0040BC04
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040BD27
                                  • FindClose.KERNEL32(00000000), ref: 0040BD4D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$CloseFile$FirstNext
                                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                  • API String ID: 1164774033-3681987949
                                  • Opcode ID: 6c639a8cbac5ca484f8773e9da93299d118512ec2cf8b834913427766c983489
                                  • Instruction ID: 8b0b2ff803da1d4b435a108118727fe7c74031c8ac088da8990f7d135a86af9b
                                  • Opcode Fuzzy Hash: 6c639a8cbac5ca484f8773e9da93299d118512ec2cf8b834913427766c983489
                                  • Instruction Fuzzy Hash: C7514F3190021A9ADB14FBB2DC56AEEB739AF10304F50057FF506721E2FF785A49CA99
                                  Function 004168FC Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 80clipboardmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32 ref: 004168FD
                                  • EmptyClipboard.USER32 ref: 0041690B
                                  • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 0041692B
                                  • GlobalLock.KERNEL32(00000000), ref: 00416934
                                  • GlobalUnlock.KERNEL32(00000000), ref: 0041696A
                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00416973
                                  • CloseClipboard.USER32 ref: 00416990
                                  • OpenClipboard.USER32 ref: 00416997
                                  • GetClipboardData.USER32(0000000D), ref: 004169A7
                                  • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                  • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                  • CloseClipboard.USER32 ref: 004169BF
                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                  • String ID: !D@$xdF
                                  • API String ID: 3520204547-3540039394
                                  • Opcode ID: 5191756a023fad829b92f3fa5878b55421fcb75fc4cc2359890982a259b57d49
                                  • Instruction ID: 548dc4d81477911aad8e8b192ef25fd2d65b79b2884d290c2f7190e4363fe536
                                  • Opcode Fuzzy Hash: 5191756a023fad829b92f3fa5878b55421fcb75fc4cc2359890982a259b57d49
                                  • Instruction Fuzzy Hash: 23215171204301EBD714BB71DC5DAAE7AA9AF88746F00043EF946961E2EF3C8C45866A
                                  Function 0040F4AF Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 210processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,pW,?,00475338), ref: 0040F4C9
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00475338), ref: 0040F4F4
                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F510
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F58F
                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00475338), ref: 0040F59E
                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                  • CloseHandle.KERNEL32(00000000,?,00475338), ref: 0040F6A9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
                                  • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$pW$xdF$xdF
                                  • API String ID: 3756808967-610734435
                                  • Opcode ID: c575ac8939463ca684cedb7c6906afd83d502d5e5bbe83c4c666d8f6a0325efa
                                  • Instruction ID: 73d50abc618c2a3d6a57d9d5b79267519347fdb4c989691d2635b3abfd1995a7
                                  • Opcode Fuzzy Hash: c575ac8939463ca684cedb7c6906afd83d502d5e5bbe83c4c666d8f6a0325efa
                                  • Instruction Fuzzy Hash: B5712E705083419AC724FB21D8959AEB7E4AF90348F40483FF586631E3EF79994DCB9A
                                  Function 0040BD72 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDEA
                                  • FindClose.KERNEL32(00000000), ref: 0040BE04
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 0040BEC4
                                  • FindClose.KERNEL32(00000000), ref: 0040BEEA
                                  • FindClose.KERNEL32(00000000), ref: 0040BF0B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$Close$File$FirstNext
                                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                  • API String ID: 3527384056-432212279
                                  • Opcode ID: ac2c58898ed4881048f14169fe64a4f28670cbea93e3b81032ca527b9b506f8a
                                  • Instruction ID: 490896facf616f27299b965c2ba25c256be2621490ca3b25f990f1d956524bcc
                                  • Opcode Fuzzy Hash: ac2c58898ed4881048f14169fe64a4f28670cbea93e3b81032ca527b9b506f8a
                                  • Instruction Fuzzy Hash: E0417F3190021AAACB04F7B2DC5A9EE7769AF11704F50057FF506B21E2EF385A458A9D
                                  Function 0041330D Relevance: 18.2, APIs: 12, Instructions: 153fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413452
                                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413460
                                  • GetFileSize.KERNEL32(?,00000000), ref: 0041346D
                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0041348D
                                  • CloseHandle.KERNEL32(00000000), ref: 0041349A
                                  • CloseHandle.KERNEL32(?), ref: 004134A0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseHandleView$CreateMappingSizeUnmap
                                  • String ID:
                                  • API String ID: 297527592-0
                                  • Opcode ID: 573418a06dd7c073e455918c82d17ef7f90be6d35999627a98a3222c49d03fc5
                                  • Instruction ID: 84c8eec30da1abd4ec43dfc3561b6153623c17c5959ee0fa3a13cc5c00e14cc2
                                  • Opcode Fuzzy Hash: 573418a06dd7c073e455918c82d17ef7f90be6d35999627a98a3222c49d03fc5
                                  • Instruction Fuzzy Hash: F041F331104301BBD7119F25EC49F6B3BACEFC9769F10052EF655D21A2DB38DA40866E
                                  Function 00419662 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0$1$2$3$4$5$6$7$VG
                                  • API String ID: 0-1861860590
                                  • Opcode ID: fa5d28c5653a06ee74d606b0804547a39682ca64517b0fde9ecd30e9690a319d
                                  • Instruction ID: 7133b754bba813e7b371628f59950815dc208a5c28e1558ec9b3f3725e93ffbd
                                  • Opcode Fuzzy Hash: fa5d28c5653a06ee74d606b0804547a39682ca64517b0fde9ecd30e9690a319d
                                  • Instruction Fuzzy Hash: 9171E2709183019FD704EF21D862BAB7B94DF85710F00492FF5A26B2D1DE78AB49CB96
                                  Function 004167EF Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 97libraryloadershutdownCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041798D: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                    • Part of subcall function 0041798D: OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                    • Part of subcall function 0041798D: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                    • Part of subcall function 0041798D: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                    • Part of subcall function 0041798D: GetLastError.KERNEL32 ref: 004179D8
                                  • ExitWindowsEx.USER32(00000000,00000001), ref: 00416891
                                  • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 004168A6
                                  • GetProcAddress.KERNEL32(00000000), ref: 004168AD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                  • String ID: !D@$$aF$(aF$,aF$PowrProf.dll$SetSuspendState
                                  • API String ID: 1589313981-3345310279
                                  • Opcode ID: 5a67a4a310bbeab77cb956b6f29dad078fe7ead2311179410cf603bdc65d0c30
                                  • Instruction ID: 272f3f60014ab8f8f2fa2781f50e1ac7d9ab3f628c5d0f86ef79d7992e461550
                                  • Opcode Fuzzy Hash: 5a67a4a310bbeab77cb956b6f29dad078fe7ead2311179410cf603bdc65d0c30
                                  • Instruction Fuzzy Hash: D821B17060430166CA14FBB28856ABF36599F41388F41087FB501671D2EF3DD845C76E
                                  Function 00407538 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 0040755C
                                  • CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Object_wcslen
                                  • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                  • API String ID: 240030777-3166923314
                                  • Opcode ID: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                  • Instruction ID: 28daeeabb8f9d0779e909056d36d27ae9c6096be3406941992b1a3e854751cf1
                                  • Opcode Fuzzy Hash: 117ce5ffae064854f49a167cf2fa86c02e7857af1ac0d1358aae668e1cde24ce
                                  • Instruction Fuzzy Hash: 88113771D04214B6D710EA959845BDEB77C9B08714F15006FF904B2281EB7CAE448A6F
                                  Function 0041A7D9 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A7EF
                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A83E
                                  • GetLastError.KERNEL32 ref: 0041A84C
                                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A884
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                  • String ID:
                                  • API String ID: 3587775597-0
                                  • Opcode ID: 6829f97737706ffae818d601d13e90887b13f82653637559be9d75c8c2a528fc
                                  • Instruction ID: 52116c85fb856a5ac6c14b0259405ec20ae2fa8d9cc538ef9907a440d1633313
                                  • Opcode Fuzzy Hash: 6829f97737706ffae818d601d13e90887b13f82653637559be9d75c8c2a528fc
                                  • Instruction Fuzzy Hash: 17817071104301ABC304EF61D885DAFB7A8FF94749F50082EF185521A2EF78EE49CB9A
                                  Function 00419B86 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 245fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00419DDC
                                  • FindNextFileW.KERNEL32(00000000,?,?), ref: 00419EA8
                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Find$CreateFirstNext
                                  • String ID: 8SG$8eF$PXG$PXG$pW$NG
                                  • API String ID: 341183262-112878505
                                  • Opcode ID: 54ba81e991093c6dccfdaf9162f41bafa2f6235a57d0cd9d07ce0c43f714be51
                                  • Instruction ID: 0eaaaed992bec346a468a6d62c1d6888972f0568f5be94e2eef244f320132bd5
                                  • Opcode Fuzzy Hash: 54ba81e991093c6dccfdaf9162f41bafa2f6235a57d0cd9d07ce0c43f714be51
                                  • Instruction Fuzzy Hash: 998151315083415BC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A
                                  Function 00452690 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045279C
                                  • IsValidCodePage.KERNEL32(00000000), ref: 004527F7
                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00452806
                                  • GetLocaleInfoW.KERNEL32(?,00001001,JD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045284E
                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045286D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                  • String ID: JD$JD$JD
                                  • API String ID: 745075371-3517165026
                                  • Opcode ID: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                  • Instruction ID: 3c84011e7dbdf7a6f9673bc5a23f9f2f22d5020eb6794df094384b3d0215d6fb
                                  • Opcode Fuzzy Hash: d20e60e436924f937cd003670a139ed53a354482d02232a94d44678fcfb69b99
                                  • Instruction Fuzzy Hash: 9B518571900205ABDB10DFA5CD45ABF77B8EF0A702F04046BED14E7292E7B89948CB69
                                  Function 0040C388 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C3D6
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0040C4A9
                                  • FindClose.KERNEL32(00000000), ref: 0040C4B8
                                  • FindClose.KERNEL32(00000000), ref: 0040C4E3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$CloseFile$FirstNext
                                  • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                  • API String ID: 1164774033-405221262
                                  • Opcode ID: 07425786a733f007aeb9a950477bd56cbd674cdc9204bf77bad9fc47ca870fce
                                  • Instruction ID: 33618048715e6b2d4a7b39963b1e19558724686ef99070a322097c87c0ca4c0c
                                  • Opcode Fuzzy Hash: 07425786a733f007aeb9a950477bd56cbd674cdc9204bf77bad9fc47ca870fce
                                  • Instruction Fuzzy Hash: 59313E31500219AACB14E761DC9A9EE7778AF50719F10057FF106B21E2EF7C9946CA4D
                                  Function 0041C322 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C37D
                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3AD
                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C41F
                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C42C
                                    • Part of subcall function 0041C322: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C402
                                  • GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C44D
                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C463
                                  • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C46A
                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C473
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                  • String ID:
                                  • API String ID: 2341273852-0
                                  • Opcode ID: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                  • Instruction ID: 53b23dfad01ba0d5beec27b7c27070a1caf437d6ccbc5233b8522822963bc02e
                                  • Opcode Fuzzy Hash: 74fc921fbbcb6c35e60b9a8f4f047a03f237c0767a03969ab094381de9c75e57
                                  • Instruction Fuzzy Hash: 4A31807284431CAADB24E761DC89EEB736CAF09305F0405FBF559D2051EB3DDAC98A58
                                  Function 0040A41B Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A451
                                  • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                  • GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                  • GetKeyState.USER32(00000010), ref: 0040A46E
                                  • GetKeyboardState.USER32(?,?,004750F0), ref: 0040A479
                                  • ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A49C
                                  • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                  • ToUnicodeEx.USER32(00475144,?,?,?,00000010,00000000,00000000), ref: 0040A535
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                  • String ID:
                                  • API String ID: 1888522110-0
                                  • Opcode ID: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                  • Instruction ID: fd17a64e9e4f7f825196359ceba3421c6f582a70c0a4c9d277f8a97da3dc7bda
                                  • Opcode Fuzzy Hash: 1fbef96bbf5188aadc2f193688702ae07512c2e2bc484e71aa5862d9cec23228
                                  • Instruction Fuzzy Hash: 1E316D72504308BFD700DF90DC45F9B7BECBB88744F00083AB645D61A0D7B5E9498BA6
                                  Function 00414005 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140D8
                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004140E4
                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                  • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004142A5
                                  • GetProcAddress.KERNEL32(00000000), ref: 004142AC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressCloseCreateLibraryLoadProcsend
                                  • String ID: SHDeleteKeyW$Shlwapi.dll
                                  • API String ID: 2127411465-314212984
                                  • Opcode ID: 906faeb5203d37c74ddcedaba27fd20c986479be3f450a41c0319093749beec0
                                  • Instruction ID: 51cedef5a77654bf04fe1bae55708f30d4330cefe0c145b830acf249c6506b6e
                                  • Opcode Fuzzy Hash: 906faeb5203d37c74ddcedaba27fd20c986479be3f450a41c0319093749beec0
                                  • Instruction Fuzzy Hash: 16B1F671A0430066CA14FB76DC579AF36A85F91788F40053FB906771E2EE7D8A48C6DA
                                  Function 00449210 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00449292
                                  • _free.LIBCMT ref: 004492B6
                                  • _free.LIBCMT ref: 0044943D
                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                  • _free.LIBCMT ref: 00449609
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                  • String ID:
                                  • API String ID: 314583886-0
                                  • Opcode ID: c2b1962c1ebc2f99b5de385c42237df108cb8a1ba45414c6f63217a1feaaf9e8
                                  • Instruction ID: 020e1479f4dc59d8c1013f8997fe2690be381d41ecad25fd3e4808fcef6bdafa
                                  • Opcode Fuzzy Hash: c2b1962c1ebc2f99b5de385c42237df108cb8a1ba45414c6f63217a1feaaf9e8
                                  • Instruction Fuzzy Hash: E0C13A71900205ABFB24DF79CD41AAF7BA8EF46314F2405AFE884D7291E7788D42D758
                                  Function 00406EEB Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222filenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FF7
                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070DB
                                  Strings
                                  • 0aF, xrefs: 0040701B
                                  • open, xrefs: 00406FF1
                                  • C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, xrefs: 00407042, 0040716A
                                  • 0aF, xrefs: 0040712C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DownloadExecuteFileShell
                                  • String ID: 0aF$0aF$C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe$open
                                  • API String ID: 2825088817-2167215267
                                  • Opcode ID: a3d80589f937fc00409f1c87b067b324c796cd20f872ee043c00395bc31b0696
                                  • Instruction ID: 89f65c5a2840bfed21b3c91f130df949caec66636536da5e2ea9f2eef63816fc
                                  • Opcode Fuzzy Hash: a3d80589f937fc00409f1c87b067b324c796cd20f872ee043c00395bc31b0696
                                  • Instruction Fuzzy Hash: 5261B371A0830166CA14FB76C8569BE37A59F81758F40093FB9427B2D3EE3C9905C69B
                                  Function 00408847 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0040884C
                                  • FindFirstFileW.KERNEL32(00000000,?,00466618,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408905
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040892D
                                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040893A
                                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A50
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                                  • String ID: xdF
                                  • API String ID: 1771804793-999140092
                                  • Opcode ID: f4b51b2c778cc903a76b83995408fe472956efc0dc2707ff349452219b6188ab
                                  • Instruction ID: 0d5560aa06bbfb8d15084ed76e809f646cede1ce68103026aeaac9ba950e1e68
                                  • Opcode Fuzzy Hash: f4b51b2c778cc903a76b83995408fe472956efc0dc2707ff349452219b6188ab
                                  • Instruction Fuzzy Hash: 9D517F72900209AACB04FB65DD569ED7778AF10308F50417FB906B71E2EF389B49CB89
                                  Function 0040BA4D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA89
                                  • GetLastError.KERNEL32 ref: 0040BA93
                                  Strings
                                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA54
                                  • [Chrome StoredLogins found, cleared!], xrefs: 0040BAB9
                                  • UserProfile, xrefs: 0040BA59
                                  • [Chrome StoredLogins not found], xrefs: 0040BAAD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteErrorFileLast
                                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                  • API String ID: 2018770650-1062637481
                                  • Opcode ID: 8d1b9c386d9f6ca777f4705084fddfe26be0f649cbc95c9792bf321ed182c299
                                  • Instruction ID: 0532e36a1aab116e50a9f1d1704ee325f44086adb43c50cfffb7bf5285f9a594
                                  • Opcode Fuzzy Hash: 8d1b9c386d9f6ca777f4705084fddfe26be0f649cbc95c9792bf321ed182c299
                                  • Instruction Fuzzy Hash: 76018F61A402056ACB04B7B6DC5B9BE7724A921704B50057FF806722D2FE7D49098BDE
                                  Function 0041798D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041799A
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004179A1
                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004179B3
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 004179D2
                                  • GetLastError.KERNEL32 ref: 004179D8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                  • String ID: SeShutdownPrivilege
                                  • API String ID: 3534403312-3733053543
                                  • Opcode ID: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                  • Instruction ID: 35ac2027e355ce869dd6e937a138cd84cb59798e299a7bc9dfe05b1c572390d3
                                  • Opcode Fuzzy Hash: d49d9c43419eaec1bfbdc5cb8a800583ef6843b46de48ba71f06d4aa9fea9060
                                  • Instruction Fuzzy Hash: 38F03A71802229FBDB10ABA1EC4DAEF7FBCEF05612F100465B909A1152D7348E04CBB5
                                  Function 004541D9 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __floor_pentium4
                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                  • API String ID: 4168288129-2761157908
                                  • Opcode ID: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                  • Instruction ID: 22fd31c6184e07a9d3e8c26eafc68e38345e899adb4ac4f90a3aea4af7cb717d
                                  • Opcode Fuzzy Hash: e29b251e1eee29052bf5b6da388e4b2e308b35626dbf2dd5d7aa75add96dd8b0
                                  • Instruction Fuzzy Hash: BBC27E71D046288FDB25CE28DD407EAB3B5EB8530AF1541EBD80DE7241E778AE898F45
                                  Function 0040928E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00409293
                                    • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040932F
                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040938D
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 004093E5
                                  • FindClose.KERNEL32(00000000), ref: 004093FC
                                    • Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                    • Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                    • Part of subcall function 00404E26: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                  • FindClose.KERNEL32(00000000), ref: 004095F4
                                    • Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(00000000,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                    • Part of subcall function 00404AA1: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                                  • String ID:
                                  • API String ID: 1824512719-0
                                  • Opcode ID: 5217273ce41631ec4f36bb50ecbc328d28b03a03593037bf82bad60bde0a87b4
                                  • Instruction ID: 89df7f8b75d3b77417eb58d09b4f39b7dfb13bde992cfd9524fc7595df83f5be
                                  • Opcode Fuzzy Hash: 5217273ce41631ec4f36bb50ecbc328d28b03a03593037bf82bad60bde0a87b4
                                  • Instruction Fuzzy Hash: 34B19D32900109AACB14EBA1DD92AEDB379AF44314F50417FF506B60E2EF785F49CB59
                                  Function 0041AADB Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A731,00000000), ref: 0041AAE4
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A731,00000000), ref: 0041AAF9
                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB06
                                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A731,00000000), ref: 0041AB11
                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB23
                                  • CloseServiceHandle.ADVAPI32(00000000,?,0041A731,00000000), ref: 0041AB26
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ManagerStart
                                  • String ID:
                                  • API String ID: 276877138-0
                                  • Opcode ID: d2aae47141dcf0d9b89d10f0773cee60e0a3b0657566105474702d9dbd979937
                                  • Instruction ID: 14dbf03deabb1432b93a26d2ddf90514dbbc411f15d31c7908333a88c2a5d316
                                  • Opcode Fuzzy Hash: d2aae47141dcf0d9b89d10f0773cee60e0a3b0657566105474702d9dbd979937
                                  • Instruction Fuzzy Hash: FEF0E971141225AFD2115B209C88DFF276CDF85B66B00082AF901921919B68CC45E579
                                  Function 004524BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 00452555
                                  • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004527DB,?,00000000), ref: 0045257E
                                  • GetACP.KERNEL32(?,?,004527DB,?,00000000), ref: 00452593
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID: ACP$OCP
                                  • API String ID: 2299586839-711371036
                                  • Opcode ID: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                  • Instruction ID: 097c3b5166b2d36aca1cb621bb06e922528e2ea4561953c90108b9915aa2a338
                                  • Opcode Fuzzy Hash: 61c68c86ee519c97ea86d50e82dd2762e668b1fdc7e44e8e256cfbf4b452970f
                                  • Instruction Fuzzy Hash: 7E21F932600108B6D734CF14CA10A9B73A6EB16B53B564467ED09D7312F7B6DD44C398
                                  Function 00407877 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407892
                                  • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040795A
                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileFind$FirstNextsend
                                  • String ID: 8eF$XPG$XPG
                                  • API String ID: 4113138495-4157548504
                                  • Opcode ID: 20c8045531a9471aa8b02c6f4ac93d25acd726a71398db01e6c16fdcd5dcb5aa
                                  • Instruction ID: fedc3c23448d2be437c2d68ef58725aa3c97e5c0e74d328490a6b39f64eed896
                                  • Opcode Fuzzy Hash: 20c8045531a9471aa8b02c6f4ac93d25acd726a71398db01e6c16fdcd5dcb5aa
                                  • Instruction Fuzzy Hash: 2D21A4315083015BC714FB61D895CEFB3ACAF90358F40493EF696620E1FF78AA098A5B
                                  Function 0041CA73 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041CB68
                                    • Part of subcall function 004137AA: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004137B9
                                    • Part of subcall function 004137AA: RegSetValueExA.KERNEL32(?,004674C8,00000000,?,00000000,00000000,004752F0,?,?,0040F88E,004674C8,5.1.2 Pro), ref: 004137E1
                                    • Part of subcall function 004137AA: RegCloseKey.KERNEL32(?,?,?,0040F88E,004674C8,5.1.2 Pro), ref: 004137EC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateInfoParametersSystemValue
                                  • String ID: ,aF$Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                  • API String ID: 4127273184-3126330168
                                  • Opcode ID: 1b8314d2076e9d5c703d8fca3d96c61d813be21baf7682ae790ff92cd480d8bc
                                  • Instruction ID: 8ac436d711b2fc3476497f69dc57c3b9a547a247a31514f467319d0910454585
                                  • Opcode Fuzzy Hash: 1b8314d2076e9d5c703d8fca3d96c61d813be21baf7682ae790ff92cd480d8bc
                                  • Instruction Fuzzy Hash: D7118472BC425022E81831396D9BFBE28068343F61F54456BF6022A6CAE4CF6A9143CF
                                  Function 0041B539 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041B54A
                                  • LoadResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B55E
                                  • LockResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B565
                                  • SizeofResource.KERNEL32(00000000,?,?,0040F419,00000000), ref: 0041B574
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Resource$FindLoadLockSizeof
                                  • String ID: SETTINGS
                                  • API String ID: 3473537107-594951305
                                  • Opcode ID: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                  • Instruction ID: d04f7a3eece584ab18b37ce022e38df3785cd6d6757b7dd0dc659012c7d5cbc3
                                  • Opcode Fuzzy Hash: a45aaf07b9511fe1cfb91064365b640b81f442c86eb18a115f7d7951e0b61df2
                                  • Instruction Fuzzy Hash: 8EE01A76600B22EBEB211BB1AC4CD863E29F7C97637140075F90586231CB798840DA98
                                  Function 004096A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 004096A5
                                  • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040971D
                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00409746
                                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040975D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Find$File$CloseFirstH_prologNext
                                  • String ID:
                                  • API String ID: 1157919129-0
                                  • Opcode ID: a4f9002d73e35e52d1f42a8e8860448eabd2e2251ec59754596a7abefe28d24e
                                  • Instruction ID: 8e52766585a78a9bd0f7e398a9017c7fe376444e683812dd136b20495b515571
                                  • Opcode Fuzzy Hash: a4f9002d73e35e52d1f42a8e8860448eabd2e2251ec59754596a7abefe28d24e
                                  • Instruction Fuzzy Hash: 7F814C328001099BCB15EBA2DC969EDB378AF14318F10417FE506B71E2EF789E49CB58
                                  Function 00451D58 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444AF4,?,?,?,?,?,?,00000004), ref: 00451E3A
                                  • _wcschr.LIBVCRUNTIME ref: 00451ECA
                                  • _wcschr.LIBVCRUNTIME ref: 00451ED8
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00444AF4,00000000,00444C14), ref: 00451F7B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                  • String ID:
                                  • API String ID: 4212172061-0
                                  • Opcode ID: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                  • Instruction ID: 2c98265d6c7a89d72caae9d33925a6d6107158c78f730362dcab12f0c71d6669
                                  • Opcode Fuzzy Hash: 542ab58a55aa9f08c463a9389d0e41dfe4354c1e35855495671bf6e32f2bde7c
                                  • Instruction Fuzzy Hash: 7F611976600606AAD714AB75CC42FBB73A8EF04306F14056FFD05DB292EB78E948C769
                                  Function 0045201B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • EnumSystemLocalesW.KERNEL32(00452143,00000001,00000000,?,JD,?,00452770,00000000,?,?,?), ref: 0045208D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                  • String ID: p'E$JD
                                  • API String ID: 1084509184-908320845
                                  • Opcode ID: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                  • Instruction ID: b0e9e6415e7ea3a3ed95e939ef0edb9d062384d4a1a0bde9f31cc9ceae225fa6
                                  • Opcode Fuzzy Hash: 475d6d5c58d7186cd22417851423cdf86cfe6bc0717def2965f4a7021c27fb53
                                  • Instruction Fuzzy Hash: 0211553A2007019FDB189F39C9916BBBB92FF8075AB14482EEE4687B41D7B5A946C740
                                  Function 00452143 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452197
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004521E8
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004522A8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorInfoLastLocale$_free$_abort
                                  • String ID:
                                  • API String ID: 2829624132-0
                                  • Opcode ID: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                  • Instruction ID: 283aa9570716a6929da4b93cb0bca45b8c77d553a5ebfd19e37a994bad1de6ac
                                  • Opcode Fuzzy Hash: 1ce7e7c7dfcd5f502045176aa51a1e3ace1f8c45826c3dbb4c0c9878229dab74
                                  • Instruction Fuzzy Hash: F361A235500207ABDF289F24CE82B7A77A8EF05306F1441BBED05C6656E7BC9D89CB58
                                  Function 0043BB71 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.KERNEL32 ref: 0043BC69
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043BC73
                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC80
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                  • String ID:
                                  • API String ID: 3906539128-0
                                  • Opcode ID: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                  • Instruction ID: 25e88f5a56b9fbea854716c485460a06fbe33a825339a9765be54c88dd7cea35
                                  • Opcode Fuzzy Hash: 1e0b73e88f7870ac8a7e49df57248e9339733cda2bb7518ac33a0b9eb889d704
                                  • Instruction Fuzzy Hash: 0431D374901218ABCB21DF65D9887CDBBB8EF0C311F5051EAE81CA7251EB749F818F48
                                  Function 00443355 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(?,?,0044332B,?), ref: 00443376
                                  • TerminateProcess.KERNEL32(00000000,?,0044332B,?), ref: 0044337D
                                  • ExitProcess.KERNEL32 ref: 0044338F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CurrentExitTerminate
                                  • String ID:
                                  • API String ID: 1703294689-0
                                  • Opcode ID: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                  • Instruction ID: 4b22f3a5ffe79ca7dfb81d814e561f82a31e4bef9a776fe0bb9daccb8e878f4b
                                  • Opcode Fuzzy Hash: 4e3b9aa1e9039f050651c305726e439f17232b6e89e74059b12d513dd76054c6
                                  • Instruction Fuzzy Hash: 9FE0B635401608FBDF11AF55DE09A5D3BAAEB40B56F005469FC498A272CF79EE42CB88
                                  Function 0040B749 Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32(00000000), ref: 0040B74C
                                  • GetClipboardData.USER32(0000000D), ref: 0040B758
                                  • CloseClipboard.USER32 ref: 0040B760
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Clipboard$CloseDataOpen
                                  • String ID:
                                  • API String ID: 2058664381-0
                                  • Opcode ID: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                  • Instruction ID: 1c65eecdd0087a0ffd0b0a04a5b63b9ff0c479b34dfa65f2e767e94bdce73387
                                  • Opcode Fuzzy Hash: ee7560bd864c47a473b03ccd03fab4bf0c670c3a92a751b3696d255e79ff2f15
                                  • Instruction Fuzzy Hash: 45E0EC31745320EFC3206B609C49F9B6AA4DF85B52F05443AB905BB2E5DB78CC4086AD
                                  Function 0041BBC6 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041605F,00000000), ref: 0041BBD1
                                  • NtResumeProcess.NTDLL(00000000), ref: 0041BBDE
                                  • CloseHandle.KERNEL32(00000000,?,?,0041605F,00000000), ref: 0041BBE7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseHandleOpenResume
                                  • String ID:
                                  • API String ID: 3614150671-0
                                  • Opcode ID: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                  • Instruction ID: 00af7d86c2812e48088786baf9e1e683bef33431c8858657b58e82835f0f92e7
                                  • Opcode Fuzzy Hash: dda695613aab68fa1ce07225af6d1ac6bad924da5be1ebe3a2a6355b7b364d52
                                  • Instruction Fuzzy Hash: 7AD05E36204121E3C220176A7C0CD97AD68DBC5AA2705412AF804C22609A60CC0186E4
                                  Function 0041BB9A Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,0041603A,00000000), ref: 0041BBA5
                                  • NtSuspendProcess.NTDLL(00000000), ref: 0041BBB2
                                  • CloseHandle.KERNEL32(00000000,?,?,0041603A,00000000), ref: 0041BBBB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseHandleOpenSuspend
                                  • String ID:
                                  • API String ID: 1999457699-0
                                  • Opcode ID: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                  • Instruction ID: 611eda4fe747f1c58df557fb912083c2b4b70512fbfbfb6239720577e9304ccf
                                  • Opcode Fuzzy Hash: dd0b989ddcc61b84e262834eab0f6eafaf8d61dce4d0b86b08aa1b4c832549dd
                                  • Instruction Fuzzy Hash: 98D05E36204121E3C7211B6A7C0CD97AD68DFC5AA2705412AF804D26549A20CC0186E4
                                  Function 0044E8F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: .
                                  • API String ID: 0-248832578
                                  • Opcode ID: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                  • Instruction ID: 7baa6cf80f4bdea99dbc4d330b45aada8194c6230f36d830dc1b60d3871032d3
                                  • Opcode Fuzzy Hash: e4ba95ef050ff9873834a062f40f8bfe8ca2f849e5d953d5b04f24550caf4fd0
                                  • Instruction Fuzzy Hash: DF3107B1900259AFEB24DE7ACC84EFB7BBDEB46318F0401AEF41897291E6349D418B54
                                  Function 004520B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • EnumSystemLocalesW.KERNEL32(00452393,00000001,?,?,JD,?,00452734,JD,?,?,?,?,?,00444AED,?,?), ref: 00452102
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                  • String ID: JD
                                  • API String ID: 1084509184-2669065882
                                  • Opcode ID: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                  • Instruction ID: 883a99871793c155097d9da94a803295819168bd30f8f35cc04eca091e96b9f4
                                  • Opcode Fuzzy Hash: 43afbb6a7401c46fb6bd1099fc40b6d5da7848bdbd3577d5ff827f5c50c4ae4e
                                  • Instruction Fuzzy Hash: E8F0FF363007056FDB245F399881A6B7B96FB82769B04482EFE458B682DAB99C42D604
                                  Function 0044896D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004489C0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID: GetLocaleInfoEx
                                  • API String ID: 2299586839-2904428671
                                  • Opcode ID: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                  • Instruction ID: 58f0578312c774904006f9ed4749830948a62bec6dc8fde4d932476f73229d15
                                  • Opcode Fuzzy Hash: 53574c2ecf56bfb558b2c309ca3eb91f9c7a0a18e0f2245662e0b0bedf18becb
                                  • Instruction Fuzzy Hash: C0F0F631640608FBDB016F61DC06F6E7B25EB04751F00056EFC0966251DE368D2096DE
                                  Function 00446270 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                  • Instruction ID: f88ef0336175cd1615890b4a552d96ffb4623b3c947145a2eaf1ae153763923c
                                  • Opcode Fuzzy Hash: 321144b451aceacc10be44255a5eb5313de52b8189587c3c0fdae4375c3dd106
                                  • Instruction Fuzzy Hash: AA025D71E002199BEF14CFA9D8806AEFBF1FF49314F26816AD819E7384D734AD418B85
                                  Function 004120B2 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                  • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Heap$FreeProcess
                                  • String ID:
                                  • API String ID: 3859560861-0
                                  • Opcode ID: 5801a203d1619bed6c8a9db4d4e6f7c09651a2c1722533c7d7743465b50f68e9
                                  • Instruction ID: dd486cb6b879bf1be37f4e59d5b3b18419fca2aff5c7e471244091183f2ba527
                                  • Opcode Fuzzy Hash: 5801a203d1619bed6c8a9db4d4e6f7c09651a2c1722533c7d7743465b50f68e9
                                  • Instruction Fuzzy Hash: 0D113632000B11AFC7309F54DE85957BBEAFF08715305892EF29682922CB75FCA0CB48
                                  Function 004533AB Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004533A6,?,?,00000008,?,?,0045625D,00000000), ref: 004535D8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionRaise
                                  • String ID:
                                  • API String ID: 3997070919-0
                                  • Opcode ID: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                  • Instruction ID: 7263c04077df6a1dd25da4ac29b5b982fa38ace811980f45f75c7c5cedc24273
                                  • Opcode Fuzzy Hash: 7607852d8e830f82297ee51b6d0742b1a7d4b3e0fd86a5f67b8f7d07b9d25eec
                                  • Instruction Fuzzy Hash: 0FB13B315106089FD715CF28C48AB657BE0FF053A6F25865DE899CF3A2C339EA96CB44
                                  Function 004339D7 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                  • Instruction ID: b5ae8e6f7fa87a7dee9e60626e0a37a25df5f2dd99b83f8da903d7583ecded6c
                                  • Opcode Fuzzy Hash: ac460f81c2ed1c183269c9f6522614bdccbebbe18bfaf8fef360a7d89dd83e89
                                  • Instruction Fuzzy Hash: 0C129E727083048BD304DF65D882A1EB7E2BFCC758F15892EF495AB381DA74E915CB86
                                  Function 00434CB6 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00434CCF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FeaturePresentProcessor
                                  • String ID:
                                  • API String ID: 2325560087-0
                                  • Opcode ID: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                  • Instruction ID: 5e37b39ef68b784d6588b9ddffa6793edf4c3ade0924e8be62ba08be237937aa
                                  • Opcode Fuzzy Hash: 4259bdeace04940204f61aa74a979230364aaba3051b8f8e0efcae6fb7ed6494
                                  • Instruction Fuzzy Hash: E4515B71D002488FEB24CF69D98579EBBF4FB88314F24956BD419EB264D378A940CF98
                                  Function 00452393 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482F4
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004523E7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$_free$InfoLocale_abort
                                  • String ID:
                                  • API String ID: 1663032902-0
                                  • Opcode ID: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                  • Instruction ID: 2d4dd0c1c30cd12b50dfb53a4a1f7f5f9091958bb121381f53cce851c87d7921
                                  • Opcode Fuzzy Hash: b4047fd74fafd511f87100a415ff7352fa71784cc782813174b617cf7262d9f7
                                  • Instruction Fuzzy Hash: F921D632600606ABDB249F25DD41FBB73A8EB06316F10407FED01D6152EBBC9D48CB59
                                  Function 004525C3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00452361,00000000,00000000,?), ref: 004525EF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$InfoLocale_abort_free
                                  • String ID:
                                  • API String ID: 2692324296-0
                                  • Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                  • Instruction ID: 8c29d710edde3bbc403447a64c1727e90569dbd09ff88c71ffccea9529c81983
                                  • Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
                                  • Instruction Fuzzy Hash: C4F04936A00116BBDB245A24D905BBF7B58EB01315F04446BEC05A3241FAF8FD058694
                                  Function 00448484 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00445909: EnterCriticalSection.KERNEL32(-0006D41D,?,0044305C,00000000,0046E938,0000000C,00443017,?,?,?,00445BA7,?,?,0044834A,00000001,00000364), ref: 00445918
                                  • EnumSystemLocalesW.KERNEL32(0044843E,00000001,0046EAE0,0000000C), ref: 004484BC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                  • String ID:
                                  • API String ID: 1272433827-0
                                  • Opcode ID: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                  • Instruction ID: 901ea181f65c0ebd25502bb0be635eecd519ab6688482fb1bf3a60b9f01fb263
                                  • Opcode Fuzzy Hash: 08771b5932cf67d2f7a499a1ea32343f451e1cff339441a182db03018af17ba2
                                  • Instruction Fuzzy Hash: 37F04F76A50200EFEB00EF69D946B4D37E0FB04725F10446EF514DB2A2DB7899809B49
                                  Function 00451FD0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • EnumSystemLocalesW.KERNEL32(00451F27,00000001,?,?,?,00452792,JD,?,?,?,?,?,00444AED,?,?,?), ref: 00452007
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                  • String ID:
                                  • API String ID: 1084509184-0
                                  • Opcode ID: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                  • Instruction ID: 16a122e2f6617649f53ffd93528404cf76eb0d70ff9257d35f530b0535ef024d
                                  • Opcode Fuzzy Hash: 06cdaad2b1dd0330ee545a4703de2c72ad4f4425d90ac6c7aa7d45dfeb8c5d5b
                                  • Instruction Fuzzy Hash: 84F0203630020597CB04AF75D845B6A7F90EB82729B06009AFE058B6A2C7799842C754
                                  Function 0040F90C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00415537,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.2 Pro), ref: 0040F920
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InfoLocale
                                  • String ID:
                                  • API String ID: 2299586839-0
                                  • Opcode ID: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                  • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                  • Opcode Fuzzy Hash: 2888965568e38a2ba7a5abe7093904758464576a93ba76aee1c710f175ee0f35
                                  • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                  Function 00434BD8 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00034BE4,0043490B), ref: 00434BDD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                  • Instruction ID: 702e07acd891e046c8aea5fc6397425f5e3bd38ef0af78e1c7fed93ac6412050
                                  • Opcode Fuzzy Hash: 2ffe05228c785604148d814c7fc250910b5f8136668f43492b8067ac5164d55b
                                  • Instruction Fuzzy Hash:
                                  Function 00427AD7 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: @
                                  • API String ID: 0-2766056989
                                  • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                  • Instruction ID: bbd91956ea41f9089fdf4ea26de33e0e8d132f349ea16d9e77f48d305cf446da
                                  • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                                  • Instruction Fuzzy Hash: F1412975A183558FC340CF29D58020AFBE1FFC8318F645A1EF889A3350D379E9428B86
                                  Function 0044DA49 Relevance: .6, Instructions: 637COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                  • Instruction ID: 4200599dcb49c21c1ca78238ad82984ca11e49a574bdd01b256a4bdf4e559873
                                  • Opcode Fuzzy Hash: c092c4f6b84b18e3b6cbbf7fe4413e1147b07dd6558fe569cc2693f6d3c9d2d8
                                  • Instruction Fuzzy Hash: D2322521D69F414DE7239A35CC22336A24CBFB73C5F15D737E81AB5AAAEB29C4834105
                                  Function 0041F18B Relevance: .6, Instructions: 598COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                  • Instruction ID: 06c66d0f35fb266b7f69fbfce4f1f639eb17408d85dd7e5468211ecdc8378744
                                  • Opcode Fuzzy Hash: 11fe0a22ef666ee2c1bed35089f8503541a39c5702d52e9a7652229b453a748b
                                  • Instruction Fuzzy Hash: 7932C2716087459BC715DF28C4807ABB7E5BF84318F040A3EF89587392D779D98ACB8A
                                  Function 0042742E Relevance: .4, Instructions: 435COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                  • Instruction ID: b033fe34555866f616fd3cc64b543b740d9cc82fbf2d17309ab2a27531c6336b
                                  • Opcode Fuzzy Hash: 069969c8f4566116342464d842351c7afe0a72e1e3c3dbe851ab1ff53bf1dd64
                                  • Instruction Fuzzy Hash: 6C02CEB17046528BC358CF2EEC5053AB7E1AB8D311744863EE495C7781EB35FA22CB94
                                  Function 00426E9F Relevance: .4, Instructions: 383COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                  • Instruction ID: 06b531cc06dcd57701b547059d2c567c45bbe225ee7d26ac7aed84b394be02a5
                                  • Opcode Fuzzy Hash: 82c6eebf497a8783bea5e127f8a47c76021f3e74a05456d4a9fdc662aa60ff2a
                                  • Instruction Fuzzy Hash: 2DF19D716142558FC348CF1DE8A187BB3E1FB89311B450A2EF582C3391DB79EA16CB56
                                  Function 00437DB3 Relevance: .3, Instructions: 345COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                  • Instruction ID: 2ce137016e68017aebaac4bbf916a57dff7c64f07ba89619fc9d118b501662d8
                                  • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                  • Instruction Fuzzy Hash: F9C1D5B22091930AEF3D4639853063FFAA05E957B171A635FE4F2CB2D4FE18C924D514
                                  Function 004381E8 Relevance: .3, Instructions: 341COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                  • Instruction ID: bc2d6065b6eca92eb436045fb502f22698d18e4b36ed1375ff5d5b4a3f5914d0
                                  • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                  • Instruction Fuzzy Hash: 75C1D7722091930AEF2D4739853463FFAA15EA57B171A236FE4F2CB2D4FE28C924D514
                                  Function 0043797E Relevance: .3, Instructions: 331COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                  • Instruction ID: 708e8454946620f186a1700387687a053fc407bd339bf74556c1f47a113f5a1a
                                  • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                  • Instruction Fuzzy Hash: 95C1C3B220D0930AEF3D4639853063FFAA15EA67B171A675ED4F2CB2D4FE18C924D614
                                  Function 00437566 Relevance: .3, Instructions: 323COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                  • Instruction ID: 79ee4f31eba35b7567f7a499d226924a3a6c1d38d98321864059dc3c63d33f3d
                                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                  • Instruction Fuzzy Hash: 76C1E6B220D0930AEF3D4639853463FBAA15EA57B171A236FD4F2CB2D4FE18C924C614
                                  Function 0041DBF3 Relevance: .3, Instructions: 277COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                  • Instruction ID: 096ff1c695f9ab27d4b2dbab46670c8098de74970727e2ec16deab2a6828ec1d
                                  • Opcode Fuzzy Hash: 2e85d6dc501202f3c2e801dccf0940871ddf0a86c450432c97aa3465398b7722
                                  • Instruction Fuzzy Hash: EAB1A37951429A8ACB05EF68C4913F63BA1EF6A301F0850B9EC9CCF757D2398506EB24
                                  Function 0043E34B Relevance: .2, Instructions: 237COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                  • Instruction ID: 32d6082e35155a0a096806a6943d6f48c3d67459c64856e3d931f7c23e0710f9
                                  • Opcode Fuzzy Hash: 30caec0efc745099040319085d406cd9bdcff08e218f1b0552064e12ef4373be
                                  • Instruction Fuzzy Hash: 59618971202709A6EE34892B88967BF63949F6D314F10342FE983DB3C1D65DDD82931E
                                  Function 0043E5A8 Relevance: .2, Instructions: 237COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                  • Instruction ID: 5d22fc1bcc5d638cf6a4a0606be4d5c4d5bba199c703cf788a7f99cafe8d65e8
                                  • Opcode Fuzzy Hash: 341ce5e44018b0d8febb5363e57dd776d1ec6df4a054cddc6676df713c6a7dda
                                  • Instruction Fuzzy Hash: 12615871602718A6DA38592B88977BF2384EB2D344F94351BE483DB3C1D75EAD43871E
                                  Function 0043E11C Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                  • Instruction ID: 6c705508b021f12d90b9f9697341ee8142861c1d23b7247138392dbd6e0aa073
                                  • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                  • Instruction Fuzzy Hash: 59517671603604A7EF3445AB85567BF63899B0E304F18395FE882C73C2C52DDE02875E
                                  Function 0043DEED Relevance: .2, Instructions: 214COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                  • Instruction ID: 84bf5d8b6cf777f915eff3509e2c27b9c7ae744ab127a35c194aadb47efed811
                                  • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                  • Instruction Fuzzy Hash: E1517761E0660557DF38892A94D67BF23A59B4E308F18351FE483CB3C2C65EEE06835E
                                  Function 00427C40 Relevance: .2, Instructions: 187COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                  • Instruction ID: d4d389248adab082d17fbdeb677dfbf93ddf16fcbb8c162b69e64d6cf0e33668
                                  • Opcode Fuzzy Hash: 5391bdb46e7b363b15ab8dfbfe7515acbec1a5683836347dd09947684361f79a
                                  • Instruction Fuzzy Hash: 61615B72A083059BC308DF35E481A5FB7E4AFCC718F814E2EF595D6151EA74EA08CB86
                                  Function 004387F0 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                  • Instruction ID: 582e3a7babb983407823034c482dc4f24404013c153b7f4d28c3fef3b0c68a44
                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                  • Instruction Fuzzy Hash: 43113B7720034183D60CAA6DC4B45BBD795EADE320FBD627FF0414B744CA2AD4459508
                                  Function 00418EB1 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 328windowmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418ECB
                                  • CreateCompatibleDC.GDI32(00000000), ref: 00418ED8
                                    • Part of subcall function 00419360: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419390
                                  • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F4E
                                  • DeleteDC.GDI32(00000000), ref: 00418F65
                                  • DeleteDC.GDI32(00000000), ref: 00418F68
                                  • DeleteObject.GDI32(00000000), ref: 00418F6B
                                  • SelectObject.GDI32(00000000,00000000), ref: 00418F8C
                                  • DeleteDC.GDI32(00000000), ref: 00418F9D
                                  • DeleteDC.GDI32(00000000), ref: 00418FA0
                                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418FC4
                                  • GetCursorInfo.USER32(?), ref: 00418FE2
                                  • GetIconInfo.USER32(?,?), ref: 00418FF8
                                  • DeleteObject.GDI32(?), ref: 00419027
                                  • DeleteObject.GDI32(?), ref: 00419034
                                  • DrawIcon.USER32(00000000,?,?,?), ref: 00419041
                                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00419077
                                  • GetObjectA.GDI32(00000000,00000018,?), ref: 004190A3
                                  • LocalAlloc.KERNEL32(00000040,00000001), ref: 00419110
                                  • GlobalAlloc.KERNEL32(00000000,?), ref: 0041917F
                                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004191A3
                                  • DeleteDC.GDI32(?), ref: 004191B7
                                  • DeleteDC.GDI32(00000000), ref: 004191BA
                                  • DeleteObject.GDI32(00000000), ref: 004191BD
                                  • GlobalFree.KERNEL32(?), ref: 004191C8
                                  • DeleteObject.GDI32(00000000), ref: 0041927C
                                  • GlobalFree.KERNEL32(?), ref: 00419283
                                  • DeleteDC.GDI32(?), ref: 00419293
                                  • DeleteDC.GDI32(00000000), ref: 0041929E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                                  • String ID: DISPLAY
                                  • API String ID: 4256916514-865373369
                                  • Opcode ID: 2247b608c21a3b8abac63767662b5221d2e7e1e487ff91865d3b7fb692dc0e69
                                  • Instruction ID: e1b8f987aa81746083de8242de432fb1856ba331ec6d7e725e66c1191a76d441
                                  • Opcode Fuzzy Hash: 2247b608c21a3b8abac63767662b5221d2e7e1e487ff91865d3b7fb692dc0e69
                                  • Instruction Fuzzy Hash: 64C14C71504301AFD720DF25DC48BABBBE9EB88715F04482EF98993291DB34ED45CB6A
                                  Function 0041812A Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 289libraryloaderthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418171
                                  • GetProcAddress.KERNEL32(00000000), ref: 00418174
                                  • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00418185
                                  • GetProcAddress.KERNEL32(00000000), ref: 00418188
                                  • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 00418199
                                  • GetProcAddress.KERNEL32(00000000), ref: 0041819C
                                  • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004181AD
                                  • GetProcAddress.KERNEL32(00000000), ref: 004181B0
                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418252
                                  • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041826A
                                  • GetThreadContext.KERNEL32(?,00000000), ref: 00418280
                                  • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004182A6
                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418328
                                  • TerminateProcess.KERNEL32(?,00000000), ref: 0041833C
                                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041837C
                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00418446
                                  • SetThreadContext.KERNEL32(?,00000000), ref: 00418463
                                  • ResumeThread.KERNEL32(?), ref: 00418470
                                  • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00418487
                                  • GetCurrentProcess.KERNEL32(?), ref: 00418492
                                  • TerminateProcess.KERNEL32(?,00000000), ref: 004184AD
                                  • GetLastError.KERNEL32 ref: 004184B5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                  • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
                                  • API String ID: 4188446516-108836778
                                  • Opcode ID: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                  • Instruction ID: d7ba82c79e3f17b97bd8f2c1aaed993f07984c16d96ff77cb9dc1491e823fc6f
                                  • Opcode Fuzzy Hash: c823a5a523639eb235f5adfe7c5fce7303d6972b4bd708db87ed0c766a231877
                                  • Instruction Fuzzy Hash: 69A15FB0604305AFDB209F64DD85B6B7BE8FF48705F00482EF685D6291EB78D844CB59
                                  Function 0040D45B Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 282registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D558
                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D56B
                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D584
                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D5B4
                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                    • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                    • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D7FF
                                  • ExitProcess.KERNEL32 ref: 0040D80B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                  • String ID: """, 0$")$8SG$@qF$@qF$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("$xdF$xpF
                                  • API String ID: 1861856835-1269936466
                                  • Opcode ID: 3831aceb1d22e6e7d0b93e81b17b4507cce6e75ae5e0c8aaec154484add800c1
                                  • Instruction ID: 9f807323933333198641953f201c1fc8368d74e19fdabe041c5449f7db564f80
                                  • Opcode Fuzzy Hash: 3831aceb1d22e6e7d0b93e81b17b4507cce6e75ae5e0c8aaec154484add800c1
                                  • Instruction Fuzzy Hash: 8791B0716082005AC315FB62D8529AF77A8AFD4309F10443FB64AA71E3EF7C9D49C65E
                                  Function 0040D0D1 Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 260registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E0
                                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1F3
                                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D223
                                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D232
                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                    • Part of subcall function 0040B8E7: UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                    • Part of subcall function 0040B8E7: TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D44D
                                  • ExitProcess.KERNEL32 ref: 0040D454
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                  • String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("$xdF$xpF
                                  • API String ID: 3797177996-2858374497
                                  • Opcode ID: 5ea89510e99e255cff43ffc81d3dc9d7b560b2414651548bcd7dcad2d5155117
                                  • Instruction ID: f7f00373e35faeae073ffedb9d5543756e5675edee5c5b567d0d61755fae189b
                                  • Opcode Fuzzy Hash: 5ea89510e99e255cff43ffc81d3dc9d7b560b2414651548bcd7dcad2d5155117
                                  • Instruction Fuzzy Hash: 6181AF716082405AC315FB62D8529AF77A8AFD0308F10483FB58A671E3EF7C9E49C65E
                                  Function 004124B0 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,pW,00000003), ref: 004124CF
                                  • ExitProcess.KERNEL32(00000000), ref: 004124DB
                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00412555
                                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412564
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041256F
                                  • CloseHandle.KERNEL32(00000000), ref: 00412576
                                  • GetCurrentProcessId.KERNEL32 ref: 0041257C
                                  • PathFileExistsW.SHLWAPI(?), ref: 004125AD
                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00412610
                                  • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 0041262A
                                  • lstrcatW.KERNEL32(?,.exe), ref: 0041263C
                                    • Part of subcall function 0041C482: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466478,00000000,00000000,0040D434,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C4C1
                                  • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041267C
                                  • Sleep.KERNEL32(000001F4), ref: 004126BD
                                  • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004126D2
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126DD
                                  • CloseHandle.KERNEL32(00000000), ref: 004126E4
                                  • GetCurrentProcessId.KERNEL32 ref: 004126EA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                                  • String ID: .exe$8SG$WDH$exepath$open$pW$temp_
                                  • API String ID: 2649220323-1672278915
                                  • Opcode ID: e4498816270222a488e6bf5402939aedbcf49cf9c73125b441753154fee32edb
                                  • Instruction ID: ea0e71dbd1735df2f0ffa6a76a18ae54bfb239dee3d1740714ca762960b89f4c
                                  • Opcode Fuzzy Hash: e4498816270222a488e6bf5402939aedbcf49cf9c73125b441753154fee32edb
                                  • Instruction Fuzzy Hash: 4C51C871A00215BBDB10ABA09C99EFE336D9B04715F1041ABF501E71D2EF7C8E858A5D
                                  Function 0041B0D8 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B1CD
                                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B1E1
                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660B4), ref: 0041B209
                                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00474EE0,00000000), ref: 0041B21F
                                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B260
                                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B278
                                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B28D
                                  • SetEvent.KERNEL32 ref: 0041B2AA
                                  • WaitForSingleObject.KERNEL32(000001F4), ref: 0041B2BB
                                  • CloseHandle.KERNEL32 ref: 0041B2CB
                                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B2ED
                                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B2F7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
                                  • API String ID: 738084811-2094122233
                                  • Opcode ID: 1d877dcbc1b23002afbada965c9bddf541debd2a79e700171488071fa355c7d2
                                  • Instruction ID: 904a2ea9ee052b7cd0d2885f28b370526ea16529c5f4723dacad6ab52bd59ce6
                                  • Opcode Fuzzy Hash: 1d877dcbc1b23002afbada965c9bddf541debd2a79e700171488071fa355c7d2
                                  • Instruction Fuzzy Hash: 015193B12842056ED314B731DC96ABF779CDB80359F10053FB246621E2EF789D498AAE
                                  Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                  • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
                                  • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
                                  • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
                                  • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
                                  • WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
                                  • WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
                                  • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
                                  • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
                                  • WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
                                  • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
                                  • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$Write$Create
                                  • String ID: RIFF$WAVE$data$fmt
                                  • API String ID: 1602526932-4212202414
                                  • Opcode ID: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                  • Instruction ID: e437df56db769974f3bb03b9acf3047b6271bea3308615ff466a61b001f8e6b8
                                  • Opcode Fuzzy Hash: bdde9fe629d6d0b3cb01441b1d036ed99aff71c5e0b2c5a0236a53ffdd76988e
                                  • Instruction Fuzzy Hash: D1413F72644218BAE210DB51DD85FBB7FECEB89B50F40441AFA44D60C0E7A5E909DBB3
                                  Function 004072AB Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe,00000001,00407688,C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe,00000003,004076B0,004752D8,00407709), ref: 004072BF
                                  • GetProcAddress.KERNEL32(00000000), ref: 004072C8
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072DD
                                  • GetProcAddress.KERNEL32(00000000), ref: 004072E0
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072F1
                                  • GetProcAddress.KERNEL32(00000000), ref: 004072F4
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00407305
                                  • GetProcAddress.KERNEL32(00000000), ref: 00407308
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00407319
                                  • GetProcAddress.KERNEL32(00000000), ref: 0040731C
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040732D
                                  • GetProcAddress.KERNEL32(00000000), ref: 00407330
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                  • API String ID: 1646373207-557812225
                                  • Opcode ID: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                  • Instruction ID: 405170eedd050388d8f538cead316ce70cca9a1d875d15a5a69166cce564cbe9
                                  • Opcode Fuzzy Hash: f3da3711bb85931ca03a42678d4c0c1881451176f862cc8ba737a85fa656c6e8
                                  • Instruction Fuzzy Hash: 0A0152A0E4431676D711AF7AAC44D577E9D9E41351311487BB405E2292EEBCE800CD6E
                                  Function 0044F4AD Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 419COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$EnvironmentVariable$_wcschr
                                  • String ID: H'V
                                  • API String ID: 3899193279-3641000910
                                  • Opcode ID: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                  • Instruction ID: 2409d22e097b45b84bdb59948eb4ebc1cd1141af37d2d18b4001dba56dac1aed
                                  • Opcode Fuzzy Hash: a471c829ddd5e79256b59335d7b350d61db07916532beff835d4a4e17985a3d6
                                  • Instruction Fuzzy Hash: E3D135B1D003006FFB24AF799D82A6B7BA8EF01314F05417FE945A7382EB7D99098759
                                  Function 0040CE34 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 0040CE42
                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,pW,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE5B
                                  • CopyFileW.KERNEL32(C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,pW,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040CF0B
                                  • _wcslen.LIBCMT ref: 0040CF21
                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CFA9
                                  • CopyFileW.KERNEL32(C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe,00000000,00000000), ref: 0040CFBF
                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFFE
                                  • _wcslen.LIBCMT ref: 0040D001
                                  • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040D018
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,pW,0000000E), ref: 0040D068
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000001), ref: 0040D086
                                  • ExitProcess.KERNEL32 ref: 0040D09D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                  • String ID: 6$C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe$del$open$pW$xdF
                                  • API String ID: 1579085052-2410765170
                                  • Opcode ID: 1f26a9a137c80f5632c92eb2222ab7f2ba6ebdcc1e6d02a5e4a10b2a6e82a7e9
                                  • Instruction ID: 98553dc1b0994f0aa09194d7cf3a18af63584d9ff732256a229fdfb73b573f5c
                                  • Opcode Fuzzy Hash: 1f26a9a137c80f5632c92eb2222ab7f2ba6ebdcc1e6d02a5e4a10b2a6e82a7e9
                                  • Instruction Fuzzy Hash: 3151E820208302ABD615B7359C92A6F679D9F8471DF00443FF60AA61E3EF7C9D05866E
                                  Function 0041C0AC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • lstrlenW.KERNEL32(?), ref: 0041C0C7
                                  • _memcmp.LIBVCRUNTIME ref: 0041C0DF
                                  • lstrlenW.KERNEL32(?), ref: 0041C0F8
                                  • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041C133
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C146
                                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C18A
                                  • lstrcmpW.KERNEL32(?,?), ref: 0041C1A5
                                  • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C1BD
                                  • _wcslen.LIBCMT ref: 0041C1CC
                                  • FindVolumeClose.KERNEL32(?), ref: 0041C1EC
                                  • GetLastError.KERNEL32 ref: 0041C204
                                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C231
                                  • lstrcatW.KERNEL32(?,?), ref: 0041C24A
                                  • lstrcpyW.KERNEL32(?,?), ref: 0041C259
                                  • GetLastError.KERNEL32 ref: 0041C261
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                  • String ID: ?
                                  • API String ID: 3941738427-1684325040
                                  • Opcode ID: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                  • Instruction ID: 8d48ee17a24f37a9bc83e71ffc922dd471ae74eb47091415c6e266b1ff6a60c4
                                  • Opcode Fuzzy Hash: f867a525b16976b99bb039d508de341a2eaf9024ee8651fbc1bead663617605c
                                  • Instruction Fuzzy Hash: B541A671584316EBD720DFA0DC889DBB7ECEB84745F00092BF545D2162EB78CA88CB96
                                  Function 00412AEF Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 482sleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412B08
                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                  • Sleep.KERNEL32(0000000A,00465E84), ref: 00412C5A
                                  • Sleep.KERNEL32(0000000A,00465E84,00465E84), ref: 00412CFC
                                  • Sleep.KERNEL32(0000000A,00465E84,00465E84,00465E84), ref: 00412D9E
                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E00
                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E37
                                  • DeleteFileW.KERNEL32(00000000,00465E84,00465E84,00465E84), ref: 00412E73
                                  • Sleep.KERNEL32(000001F4,00465E84,00465E84,00465E84), ref: 00412E8D
                                  • Sleep.KERNEL32(00000064), ref: 00412ECF
                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                  • String ID: /stext "$,aF$0TG$0TG$NG$NG
                                  • API String ID: 1223786279-4119708859
                                  • Opcode ID: cb9c8e514a03fffe39a67888c38defc63896ca07a3b47e43f0cc2a8d1a09612f
                                  • Instruction ID: 10d3359c81a21c2239512d2238f4034584c87ebec4848cfd83014516dee20f06
                                  • Opcode Fuzzy Hash: cb9c8e514a03fffe39a67888c38defc63896ca07a3b47e43f0cc2a8d1a09612f
                                  • Instruction Fuzzy Hash: 2F0268315083414AC325FB62D891AEFB3E5AFD4348F50483FF58A931E2EF785A49C65A
                                  Function 00408BB5 Relevance: 23.1, APIs: 8, Strings: 5, Instructions: 328fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408D1E
                                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D56
                                  • __aulldiv.LIBCMT ref: 00408D88
                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408EAB
                                  • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408EC6
                                  • CloseHandle.KERNEL32(00000000), ref: 00408F9F
                                  • CloseHandle.KERNEL32(00000000,00000052), ref: 00408FE9
                                  • CloseHandle.KERNEL32(00000000), ref: 00409037
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                                  • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $xdF$NG
                                  • API String ID: 3086580692-3944908133
                                  • Opcode ID: 375fd4d1ba84a221b6b379f1ba586c6507ce90ea72b898bc605ef2d0a248505e
                                  • Instruction ID: 3fce176daff91a8ac67d7e00268aa6ddaa8eb0a69c3dc15cdf5b3728eb075172
                                  • Opcode Fuzzy Hash: 375fd4d1ba84a221b6b379f1ba586c6507ce90ea72b898bc605ef2d0a248505e
                                  • Instruction Fuzzy Hash: CCB1A1316083409BC314FB26C941AAFB7E5AFC4358F40492FF589622D2EF789945CB8B
                                  Function 0041D620 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D66B
                                  • GetCursorPos.USER32(?), ref: 0041D67A
                                  • SetForegroundWindow.USER32(?), ref: 0041D683
                                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D69D
                                  • Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D6EE
                                  • ExitProcess.KERNEL32 ref: 0041D6F6
                                  • CreatePopupMenu.USER32 ref: 0041D6FC
                                  • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D711
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                  • String ID: Close
                                  • API String ID: 1657328048-3535843008
                                  • Opcode ID: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                  • Instruction ID: ffebe08b42ddc2cad69fc5dc181b4667ce265f065f51bc56e4a7814a85689449
                                  • Opcode Fuzzy Hash: 2cdbc08d807d068952302bab703dbbbb7de86244cd36d8f377370d21a5bc842f
                                  • Instruction Fuzzy Hash: 2D213BB1544209FFDF155FA4ED0EAAA3F35EB08302F000125F909951B2D779EDA1EB19
                                  Function 00445DD7 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$Info
                                  • String ID:
                                  • API String ID: 2509303402-0
                                  • Opcode ID: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                  • Instruction ID: 03d8b0dccc9171d7b4ee81f85837dfa1205ba0d7832ce976ccf3d084d520ac26
                                  • Opcode Fuzzy Hash: 6f6fc0ac27b4b2f00b1102b51bee0220b0be09f2ed36c41455f2b0a14b53fe9c
                                  • Instruction Fuzzy Hash: AFB1CE719002059FEB21DF69C881BEEBBF4BF09304F15842EF495A7242DB79AC458B69
                                  Function 0040D83A Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 148COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041288B: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                    • Part of subcall function 0041288B: WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                    • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                    • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                    • Part of subcall function 00413733: RegCloseKey.ADVAPI32(00000000), ref: 00413773
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D894
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00466478,00466478,00000000), ref: 0040D9F3
                                  • ExitProcess.KERNEL32 ref: 0040D9FF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                  • String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open$xdF
                                  • API String ID: 1913171305-1736969612
                                  • Opcode ID: b69e3863cd24d91f8d09930e85150bb1700edda50eabfefcd59ed8dd1b1ec919
                                  • Instruction ID: 6f299f75ad759bd4c56b3f4cab90e5e1fe41ff60d22e8747b975e3d2bb757992
                                  • Opcode Fuzzy Hash: b69e3863cd24d91f8d09930e85150bb1700edda50eabfefcd59ed8dd1b1ec919
                                  • Instruction Fuzzy Hash: 9B4129719001155ACB15FBA2DC56DEEB778AF50709F10017FB10AB21E2FF785E8ACA98
                                  Function 00414DC1 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414E10
                                  • LoadLibraryA.KERNEL32(?), ref: 00414E52
                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E72
                                  • FreeLibrary.KERNEL32(00000000), ref: 00414E79
                                  • LoadLibraryA.KERNEL32(?), ref: 00414EB1
                                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414EC3
                                  • FreeLibrary.KERNEL32(00000000), ref: 00414ECA
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00414ED9
                                  • FreeLibrary.KERNEL32(00000000), ref: 00414EF0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                  • String ID: \ws2_32$\wship6$getaddrinfo
                                  • API String ID: 2490988753-3078833738
                                  • Opcode ID: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                  • Instruction ID: 3d65f6a93fba2a0b2eac8854c7d2b2934d6e6a161d7d6dc9994b6ec54a408268
                                  • Opcode Fuzzy Hash: bff3b13f7ac9eea3f878ccf145141800db562e87b1258dd51974eed62fb821cf
                                  • Instruction Fuzzy Hash: 5E31C4B1905315A7D7209F65CC84DDF76DCAB84754F004A2AF944A3210D738D985CBAE
                                  Function 00451346 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___free_lconv_mon.LIBCMT ref: 0045138A
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045059F
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505B1
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505C3
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505D5
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505E7
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 004505F9
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045060B
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045061D
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 0045062F
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450641
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450653
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450665
                                    • Part of subcall function 00450582: _free.LIBCMT ref: 00450677
                                  • _free.LIBCMT ref: 0045137F
                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                  • _free.LIBCMT ref: 004513A1
                                  • _free.LIBCMT ref: 004513B6
                                  • _free.LIBCMT ref: 004513C1
                                  • _free.LIBCMT ref: 004513E3
                                  • _free.LIBCMT ref: 004513F6
                                  • _free.LIBCMT ref: 00451404
                                  • _free.LIBCMT ref: 0045140F
                                  • _free.LIBCMT ref: 00451447
                                  • _free.LIBCMT ref: 0045144E
                                  • _free.LIBCMT ref: 0045146B
                                  • _free.LIBCMT ref: 00451483
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                  • String ID:
                                  • API String ID: 161543041-0
                                  • Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                  • Instruction ID: 2428002f6fd8eb1a99257b9b861ac38f7c05b5b97acacff09fd9d8cf260fe807
                                  • Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
                                  • Instruction Fuzzy Hash: 403193715003009FEB20AA39D846F5B73E8EF02315F62992FE849D7662DF78AD44C729
                                  Function 00450680 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                  • Instruction ID: 80ca3ff3fa16d46db3e6ae4c9b8471dba03f652ca918f9f25067e0b92ee87d4d
                                  • Opcode Fuzzy Hash: f91d4b90763e5671f10523a72ee64b05bbc7cd6159c247d47fb1287d0ca389aa
                                  • Instruction Fuzzy Hash: 30C183B6D40204ABEB20DBA9CC43FDE77F8AB09705F150166FE04EB283D6B49D459768
                                  Function 00455C5B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00455929: CreateFileW.KERNEL32(00000000,00000000,?,00455D04,?,?,00000000,?,00455D04,00000000,0000000C), ref: 00455946
                                  • GetLastError.KERNEL32 ref: 00455D6F
                                  • __dosmaperr.LIBCMT ref: 00455D76
                                  • GetFileType.KERNEL32(00000000), ref: 00455D82
                                  • GetLastError.KERNEL32 ref: 00455D8C
                                  • __dosmaperr.LIBCMT ref: 00455D95
                                  • CloseHandle.KERNEL32(00000000), ref: 00455DB5
                                  • CloseHandle.KERNEL32(?), ref: 00455EFF
                                  • GetLastError.KERNEL32 ref: 00455F31
                                  • __dosmaperr.LIBCMT ref: 00455F38
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                  • String ID: H
                                  • API String ID: 4237864984-2852464175
                                  • Opcode ID: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                  • Instruction ID: 7cd045c9b8f196398d23f94ba58010557f508cd7b58f44c29b3e784ccbbfb847
                                  • Opcode Fuzzy Hash: 3e80e4deedef708004bf5c1f14aafc2c87dd9643035db764e93b071d2df20022
                                  • Instruction Fuzzy Hash: 44A14532A106049FDF19AF68DC657BE3BA0EB06325F24015EEC11AB392D6398D1AC759
                                  Function 00450AA5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID: \&G$\&G$`&G
                                  • API String ID: 269201875-253610517
                                  • Opcode ID: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                                  • Instruction ID: 59c4f5d9f803fa3be21c2588ad204ea2c1e8261bb9e1a4607c4596bf86990b35
                                  • Opcode Fuzzy Hash: fb4e3dbc149d2c7ead481d14af816bdca3ff316622b678324ba67e9487465dd6
                                  • Instruction Fuzzy Hash: 86610E75900205AFDB21DF69C842B9ABBF4EF06710F24426BED44EB242E774AD45CB58
                                  Function 00414BEB Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 65535$udp
                                  • API String ID: 0-1267037602
                                  • Opcode ID: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                  • Instruction ID: a9902b4e2b63063b067a15c036b171ad6d3a8658db747517b03e91dd9f9ead29
                                  • Opcode Fuzzy Hash: 92e56e7e39f2557d79d3192c533dec3724d183fd0175ec4c26052f24408cebce
                                  • Instruction Fuzzy Hash: FB51D431605301ABDB609B14E905BFB77E8ABC5754F08042FF88597390E76CCCC1969E
                                  Function 0041697B Relevance: 17.5, APIs: 8, Strings: 2, Instructions: 46clipboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenClipboard.USER32 ref: 0041697C
                                  • EmptyClipboard.USER32 ref: 0041698A
                                  • CloseClipboard.USER32 ref: 00416990
                                  • OpenClipboard.USER32 ref: 00416997
                                  • GetClipboardData.USER32(0000000D), ref: 004169A7
                                  • GlobalLock.KERNEL32(00000000), ref: 004169B0
                                  • GlobalUnlock.KERNEL32(00000000), ref: 004169B9
                                  • CloseClipboard.USER32 ref: 004169BF
                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                  • String ID: !D@$xdF
                                  • API String ID: 2172192267-3540039394
                                  • Opcode ID: 0916ac08766f268bc748aa182f3e4d0b5c60d1c6def3acf1de95a0795d360f37
                                  • Instruction ID: c3dc955394dadbf9cb8fa72aed918e4e170398eafb94270add22466952777bd7
                                  • Opcode Fuzzy Hash: 0916ac08766f268bc748aa182f3e4d0b5c60d1c6def3acf1de95a0795d360f37
                                  • Instruction Fuzzy Hash: AA014C31204301EFC714BB72DC49AAE7BA5AF88742F40047EF906861E2DF388C45C659
                                  Function 0043A8BA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A912
                                  • GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A91F
                                  • __dosmaperr.LIBCMT ref: 0043A926
                                  • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A952
                                  • GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A95C
                                  • __dosmaperr.LIBCMT ref: 0043A963
                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A9A6
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A9B0
                                  • __dosmaperr.LIBCMT ref: 0043A9B7
                                  • _free.LIBCMT ref: 0043A9C3
                                  • _free.LIBCMT ref: 0043A9CA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                  • String ID:
                                  • API String ID: 2441525078-0
                                  • Opcode ID: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                                  • Instruction ID: 3a2165a63a30732921e8d6571a772c998230e0148124485b419b79488018c54b
                                  • Opcode Fuzzy Hash: 1b21161869a1c6c97ce00f002d4111b93a94d55ba7b455788bfa216644d838f2
                                  • Instruction Fuzzy Hash: 8631D5B180420AFBDF01AFA5CC45EAF3B6CEF09324F11451AF950662A1DB38CD61DB66
                                  Function 0041A045 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 176sleeptimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0041A04A
                                  • GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 0041A07C
                                  • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A108
                                  • Sleep.KERNEL32(000003E8), ref: 0041A18E
                                  • GetLocalTime.KERNEL32(?), ref: 0041A196
                                  • Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A285
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                  • String ID: pW$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                  • API String ID: 489098229-3134249961
                                  • Opcode ID: ef3a2b2680ef5ec4cf1756d8d4e3928048fec3981f722f661be4b2a60a96407b
                                  • Instruction ID: 12d64888f2a2aa40a87de1a625a26b3edd7a2139bf4817292c9f8cf1352d8a2d
                                  • Opcode Fuzzy Hash: ef3a2b2680ef5ec4cf1756d8d4e3928048fec3981f722f661be4b2a60a96407b
                                  • Instruction Fuzzy Hash: 7A517D70A002159ACB14BBB5C8529FD77A9AF54308F40407FF509AB1E2EF7C9D85C799
                                  Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetEvent.KERNEL32(?,?), ref: 004054BF
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040556F
                                  • TranslateMessage.USER32(?), ref: 0040557E
                                  • DispatchMessageA.USER32(?), ref: 00405589
                                  • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
                                  • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405679
                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                  • String ID: CloseChat$DisplayMessage$GetMessage
                                  • API String ID: 2956720200-749203953
                                  • Opcode ID: c169fda0156d4d4cd66ad22aedc816e36154925b5c0f60d04c95d765b92539fd
                                  • Instruction ID: d37e718accd843302ceacc2187c81124e04698433963f5de03abd71ab6b9016f
                                  • Opcode Fuzzy Hash: c169fda0156d4d4cd66ad22aedc816e36154925b5c0f60d04c95d765b92539fd
                                  • Instruction Fuzzy Hash: 39419071A04301ABCB14FB76DC5A86F37A9AB85704F40493EF516A31E1EF3C8905CB9A
                                  Function 00413D48 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 135registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00413D81
                                    • Part of subcall function 00413A90: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                    • Part of subcall function 00413A90: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                  • RegCloseKey.ADVAPI32(00000000,004660B4,004660B4,00466478,00466478,00000071), ref: 00413EEF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEnumInfoOpenQuerysend
                                  • String ID: (aF$,aF$xUG$xdF$NG$NG$TG
                                  • API String ID: 3114080316-4028018678
                                  • Opcode ID: 0cf4120cb72ce5ad768c2cdf519f821beb26049f542a20a1734b386146b4ead6
                                  • Instruction ID: 39136fa66a1b3d14a29046baa0c8a2124f92290552efa608aac098e6c3039c27
                                  • Opcode Fuzzy Hash: 0cf4120cb72ce5ad768c2cdf519f821beb26049f542a20a1734b386146b4ead6
                                  • Instruction Fuzzy Hash: 03419F316042005AC324F726D852AEF76A99FD1384F40883FF549671D2EF7C5949866E
                                  Function 00417D1A Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00417F67: __EH_prolog.LIBCMT ref: 00417F6C
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660B4), ref: 00417E17
                                  • CloseHandle.KERNEL32(00000000), ref: 00417E20
                                  • DeleteFileA.KERNEL32(00000000), ref: 00417E2F
                                  • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DE3
                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                                  • String ID: 0VG$0VG$<$@$Temp
                                  • API String ID: 1704390241-2575729100
                                  • Opcode ID: 80ffa916d59d600171d9ca3e34e0670cc9ac865161bbbc65e8436c0bee0f72cd
                                  • Instruction ID: 01f79aac078c9204ae4226344def03f9678a0966abb138ad227abf0e83d93267
                                  • Opcode Fuzzy Hash: 80ffa916d59d600171d9ca3e34e0670cc9ac865161bbbc65e8436c0bee0f72cd
                                  • Instruction Fuzzy Hash: 18417E319002099ACB14FB62DC56AEE7735AF00318F50417EF50A761E1EF7C5A8ACB99
                                  Function 00410E9C Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00410EA9
                                  • int.LIBCPMT ref: 00410EBC
                                    • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                    • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                  • std::_Facet_Register.LIBCPMT ref: 00410EFC
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00410F05
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00410F23
                                  • __Init_thread_footer.LIBCMT ref: 00410F64
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                                  • String ID: ,kG$0kG$@!G
                                  • API String ID: 3815856325-312998898
                                  • Opcode ID: 234cc645e6f2b623d94fc8cb2d29f52bc734eee13d30ec18b0bfe81019bed365
                                  • Instruction ID: 6b7561e6e5701aa818233467e21ea388c72e3112cb5a37ed7db11c94fdfc7bf8
                                  • Opcode Fuzzy Hash: 234cc645e6f2b623d94fc8cb2d29f52bc734eee13d30ec18b0bfe81019bed365
                                  • Instruction Fuzzy Hash: 682129329005249BCB14FB6AD8429DE77A9DF48324F21416FF404E72D1DFB9AD818B9D
                                  Function 0041AB9E Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABAD
                                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABC4
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABD1
                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABE0
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF1
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A517,00000000), ref: 0041ABF4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ControlManager
                                  • String ID:
                                  • API String ID: 221034970-0
                                  • Opcode ID: 096e2c87fc6c65f47e4c6c752a7259066b900e282f660f6c8049b8ab8b72f741
                                  • Instruction ID: a7ddf6af562b27afc3fdb57d9320cc893b1711f81dd6882f7bac22400d97ef93
                                  • Opcode Fuzzy Hash: 096e2c87fc6c65f47e4c6c752a7259066b900e282f660f6c8049b8ab8b72f741
                                  • Instruction Fuzzy Hash: 1411E931501218BFD711AF64DC85CFF3B6CDB41B66B000426FA0692191EB689D46AAFA
                                  Function 004481A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 004481B5
                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                  • _free.LIBCMT ref: 004481C1
                                  • _free.LIBCMT ref: 004481CC
                                  • _free.LIBCMT ref: 004481D7
                                  • _free.LIBCMT ref: 004481E2
                                  • _free.LIBCMT ref: 004481ED
                                  • _free.LIBCMT ref: 004481F8
                                  • _free.LIBCMT ref: 00448203
                                  • _free.LIBCMT ref: 0044820E
                                  • _free.LIBCMT ref: 0044821C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                  • Instruction ID: 68a5115f29dd4dda1e04096f5587add38bc33a27c3b2fba9646c6a67a64c999e
                                  • Opcode Fuzzy Hash: 7409258e8d3de90c3944c0df00460aed843c684c15a9003062b0a9d40dd376ab
                                  • Instruction Fuzzy Hash: AA11E9B6901108BFDB01FF55C852CDD3B65FF05354B0244AAF9488F222DB75DE509B95
                                  Function 0041C720 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C742
                                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041C786
                                  • RegCloseKey.ADVAPI32(?), ref: 0041CA50
                                  Strings
                                  • DisplayName, xrefs: 0041C7CD
                                  • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C738
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEnumOpen
                                  • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                  • API String ID: 1332880857-3614651759
                                  • Opcode ID: 0758d2217d4cdf4be18b27332201ce298183b926a753a4e26667fde6bb3e7a3c
                                  • Instruction ID: 8204223968f620e226549da85b9b34a309c849e8d9bbed411749b7727356edba
                                  • Opcode Fuzzy Hash: 0758d2217d4cdf4be18b27332201ce298183b926a753a4e26667fde6bb3e7a3c
                                  • Instruction Fuzzy Hash: 3E8133311082459BC325EF11D851EEFB7E8BF94309F10492FB589921A2FF74AE49CA5A
                                  Function 00411530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Eventinet_ntoa
                                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
                                  • API String ID: 3578746661-3604713145
                                  • Opcode ID: a77d47271dc343d34bbee68d757bbcc928c929ff734791c6900b147cae5cbd3f
                                  • Instruction ID: 5b49fc9f60f15aadef5e91219dcc0d557585a55aed20fbc46105045b647f8dc0
                                  • Opcode Fuzzy Hash: a77d47271dc343d34bbee68d757bbcc928c929ff734791c6900b147cae5cbd3f
                                  • Instruction Fuzzy Hash: 5351D531A042015BC714FB36D95AAAE36A5AB84344F40453FFA06676F2EF7C8985C7CE
                                  Function 004174D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00417530
                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                  • Sleep.KERNEL32(00000064), ref: 0041755C
                                  • DeleteFileW.KERNEL32(00000000), ref: 00417590
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CreateDeleteExecuteShellSleep
                                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                  • API String ID: 1462127192-2001430897
                                  • Opcode ID: 74e705e902443d92e757842fd98a6aa38e7ce8337cfacc1c2ca4f7e1e99f0fa5
                                  • Instruction ID: 6598d36db715e58345e35b35962d03aab6dacf30af49f41f33489dbeb2d48940
                                  • Opcode Fuzzy Hash: 74e705e902443d92e757842fd98a6aa38e7ce8337cfacc1c2ca4f7e1e99f0fa5
                                  • Instruction Fuzzy Hash: 17313F71940119AADB04FB61DC96DED7735AF50309F00017EF606731E2EF785A8ACA9C
                                  Function 004073E7 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 00407418
                                  • GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407691,C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe), ref: 004074D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CurrentProcess
                                  • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                  • API String ID: 2050909247-4242073005
                                  • Opcode ID: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                  • Instruction ID: c8d37550e6f1e63eabf3c93e4c9511e0cbcdb01d3c289a22ccdf2b55afca88d7
                                  • Opcode Fuzzy Hash: c959bd930998c8f390064940774d0a1512e2843fb7eeb626fe9b06c6253c3d56
                                  • Instruction Fuzzy Hash: DE317EB1A44300ABD314EF65DD46F1677B8BB04705F10087EF509A6692EBB8B8458B6F
                                  Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • _strftime.LIBCMT ref: 00401D50
                                    • Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
                                  • waveInUnprepareHeader.WINMM(00472A88,00000020,00000000,?), ref: 00401E02
                                  • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
                                  • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                  • String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
                                  • API String ID: 3809562944-243156785
                                  • Opcode ID: 272d9e95f202b5b87e8d6f02197a65f7d4795c5aee8df22827821352ca84ba3d
                                  • Instruction ID: 12771182903f202c4b9d99511a6abf0f0559d076e6e3c56183b1657b5f9df8bc
                                  • Opcode Fuzzy Hash: 272d9e95f202b5b87e8d6f02197a65f7d4795c5aee8df22827821352ca84ba3d
                                  • Instruction Fuzzy Hash: AA318F315043019FC324EB22DC56A9E77A8FB84315F40443EF189A21F2EFB89A49CB5E
                                  Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
                                  • waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000,00000024), ref: 00401C8F
                                  • waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
                                  • waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
                                  • waveInStart.WINMM ref: 00401CFE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                  • String ID: dMG$pW$|MG
                                  • API String ID: 1356121797-1508539285
                                  • Opcode ID: 6aa69cd6a01d0fe2356010249b9bd36d42245e4d7c734ee1dd99acc2b44a8f66
                                  • Instruction ID: 1e392cdedf79dd274444ae0cc0b76d6cc185fd36309c60cea9b16e967c73269b
                                  • Opcode Fuzzy Hash: 6aa69cd6a01d0fe2356010249b9bd36d42245e4d7c734ee1dd99acc2b44a8f66
                                  • Instruction Fuzzy Hash: 51212A71604201AFC7399F66EE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C
                                  Function 0041D4EE Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D507
                                    • Part of subcall function 0041D5A0: RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                    • Part of subcall function 0041D5A0: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                    • Part of subcall function 0041D5A0: GetLastError.KERNEL32 ref: 0041D611
                                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D53E
                                  • lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D558
                                  • Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D56E
                                  • TranslateMessage.USER32(?), ref: 0041D57A
                                  • DispatchMessageA.USER32(?), ref: 0041D584
                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041D591
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                  • String ID: Remcos
                                  • API String ID: 1970332568-165870891
                                  • Opcode ID: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                  • Instruction ID: 0a96d410cd687733bc2db9baaca44b2a156926270a6f860d3af68fdb0bcdced8
                                  • Opcode Fuzzy Hash: bb528cd859a2941ef755fedfca18549d942758f832e9eaa985f33bd327a59cbd
                                  • Instruction Fuzzy Hash: CA0152B1840244EBD7109FA5EC4CFABBB7CEBC5705F00406AF515931A1D778D885CB58
                                  Function 0044CE00 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                                  • Instruction ID: c312da418a410335279f0cc1971bad4557be7deeadefc114a47e367d78dfde09
                                  • Opcode Fuzzy Hash: fe4c6299b1f4debc2f0613a6a4b69777743e78c2e08cef74df9dc0c7942dc402
                                  • Instruction Fuzzy Hash: 94C1FA70D04249AFEF11DFA8CC41BAE7BB0AF09304F19415AE915A7392C77C9941CB69
                                  Function 00453E03 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004540DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453EAF
                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F32
                                  • __alloca_probe_16.LIBCMT ref: 00453F6A
                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004540DC,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FC5
                                  • __alloca_probe_16.LIBCMT ref: 00454014
                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FDC
                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004540DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00454058
                                  • __freea.LIBCMT ref: 00454083
                                  • __freea.LIBCMT ref: 0045408F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                  • String ID:
                                  • API String ID: 201697637-0
                                  • Opcode ID: c58c81590331c8434bd69e2fe975192d11ab6ad4f25d793436d733d3ebd853b6
                                  • Instruction ID: 957693029e8655488503f3238c5b69ab87e72ad781d0cd1ca1c521277c14990f
                                  • Opcode Fuzzy Hash: c58c81590331c8434bd69e2fe975192d11ab6ad4f25d793436d733d3ebd853b6
                                  • Instruction Fuzzy Hash: 2B91D472E002069BDB208E65C846EEFBBF59F49756F14051BED00EB282D73DCD898769
                                  Function 004451FA Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00448295: GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                    • Part of subcall function 00448295: _free.LIBCMT ref: 004482CC
                                    • Part of subcall function 00448295: SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                    • Part of subcall function 00448295: _abort.LIBCMT ref: 00448313
                                  • _memcmp.LIBVCRUNTIME ref: 004454A4
                                  • _free.LIBCMT ref: 00445515
                                  • _free.LIBCMT ref: 0044552E
                                  • _free.LIBCMT ref: 00445560
                                  • _free.LIBCMT ref: 00445569
                                  • _free.LIBCMT ref: 00445575
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorLast$_abort_memcmp
                                  • String ID: C
                                  • API String ID: 1679612858-1037565863
                                  • Opcode ID: 988bd1a8119ed4a709ec3dab848aee85f0f523c2f313b021c20f4b3607b372ff
                                  • Instruction ID: c5fa7cd4a0def74fccfc383a36f0c71fd12082b8797d706f49daa7c6421ebafc
                                  • Opcode Fuzzy Hash: 988bd1a8119ed4a709ec3dab848aee85f0f523c2f313b021c20f4b3607b372ff
                                  • Instruction Fuzzy Hash: D4B13775A016199FEB24DF18C885BAEB7B4FF48304F5085EAE809A7351E774AE90CF44
                                  Function 00414945 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: tcp$udp
                                  • API String ID: 0-3725065008
                                  • Opcode ID: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                  • Instruction ID: 4fb2fbaa1818e082f2863e0a7c91e4ace7fe62ed23b491eff3584b955907a2f3
                                  • Opcode Fuzzy Hash: e3882082d73cb51732241927fa811467e6376eb334e21639ae703d67e169e483
                                  • Instruction Fuzzy Hash: FC7197706083028FDB248F55D4817ABB7E4AFC8355F20482FF88697351E778DE858B9A
                                  Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __Init_thread_footer.LIBCMT ref: 004018BE
                                  • ExitThread.KERNEL32 ref: 004018F6
                                  • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00474EE0,00000000), ref: 00401A04
                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                  • String ID: PkG$XMG$NG$NG
                                  • API String ID: 1649129571-3151166067
                                  • Opcode ID: 04c6230229ba03dc03dd42187752d24fce62bcfb967b9c5647b680e770e32543
                                  • Instruction ID: 94ec9d015e3317cd6a1a8c0f3f0e5257b1b149af30ff9c9aaa6ade548e88cebb
                                  • Opcode Fuzzy Hash: 04c6230229ba03dc03dd42187752d24fce62bcfb967b9c5647b680e770e32543
                                  • Instruction Fuzzy Hash: 7441D5312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D4AC71D
                                  Function 0040799E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00474EE0,00465FB4,?,00000000,00408037,00000000), ref: 00407A00
                                  • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A48
                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00408037,00000000,?,?,0000000A,00000000), ref: 00407A88
                                  • MoveFileW.KERNEL32(00000000,00000000), ref: 00407AA5
                                  • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AD0
                                  • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AE0
                                    • Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00474EF8,00404C49,00000000,00000000,00000000,?,00474EF8,?), ref: 00404BA5
                                    • Part of subcall function 00404B96: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                  • String ID: .part
                                  • API String ID: 1303771098-3499674018
                                  • Opcode ID: 3afc2f85f810e2c46033f561f8352aaa8f531af2af3959b11cfb50950e871b37
                                  • Instruction ID: fa021c15c5d1e87e569c09a19ead990ccf19330fc060556597d24b4305e87d8f
                                  • Opcode Fuzzy Hash: 3afc2f85f810e2c46033f561f8352aaa8f531af2af3959b11cfb50950e871b37
                                  • Instruction Fuzzy Hash: 3A31B571508345AFC310EB61D84599FB3A8FF94359F00493FB945A21D2EB78EE08CB9A
                                  Function 0041B71B Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 91COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00413656: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,pW), ref: 00413678
                                    • Part of subcall function 00413656: RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                    • Part of subcall function 00413656: RegCloseKey.ADVAPI32(?), ref: 004136A0
                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                    • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                  • _wcslen.LIBCMT ref: 0041B7F4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                  • String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\$pW
                                  • API String ID: 3286818993-4053934369
                                  • Opcode ID: 21ce8c3951ea68e9f4768855c246d238a69c4de2a44f28aaa4944944c55ea733
                                  • Instruction ID: 00334f857bbe6022557327a28fa8f115e820bd32ca6b34e50ab8c41aa79dd428
                                  • Opcode Fuzzy Hash: 21ce8c3951ea68e9f4768855c246d238a69c4de2a44f28aaa4944944c55ea733
                                  • Instruction Fuzzy Hash: 42218872A001046BDB14BAB59CD6AFE766D9B48728F10043FF505B72C3EE3C9D49426D
                                  Function 0041CE2C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                  • GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                  • ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                  • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Console$Window$AllocOutputShow
                                  • String ID: Remcos v$5.1.2 Pro$CONOUT$
                                  • API String ID: 4067487056-1584637518
                                  • Opcode ID: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                  • Instruction ID: 6efa3de70d430de9448838496adf33c47162c0890a3ad1875f095e209401f165
                                  • Opcode Fuzzy Hash: bb520a2f19826cc6a1c283625bbcfbf44085728638f029a4a140c4eec348b460
                                  • Instruction Fuzzy Hash: A90144B1A80304BBD610F7F19C8BF9E77AC9B14B05F500527BA04A70D2EB6DD944466E
                                  Function 0040729B Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40COMMON
                                  Download Yara Rule
                                  Strings
                                  • xdF, xrefs: 004076E4
                                  • pW, xrefs: 004076D2
                                  • C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, xrefs: 004076FF
                                  • SG, xrefs: 00407715
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: SG$C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe$pW$xdF
                                  • API String ID: 0-4134312934
                                  • Opcode ID: 76fb36a6468107bc6bcf7edae7d85ad02bbabba37b75d9201cd6870646e6a122
                                  • Instruction ID: 5ffff352cfcc2e87221e4fa572a01d73507d198e899e6baa5594ec663d9dd15d
                                  • Opcode Fuzzy Hash: 76fb36a6468107bc6bcf7edae7d85ad02bbabba37b75d9201cd6870646e6a122
                                  • Instruction Fuzzy Hash: 8DF02BB0E04600EBCB1477345D296AA3656A780397F40487BF507EB2F2EBBD5C41871E
                                  Function 0044ACC9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044AD23
                                  • __alloca_probe_16.LIBCMT ref: 0044AD5B
                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD92,?,?,?,0044AF1A,00000001,00000001,?), ref: 0044ADA9
                                  • __alloca_probe_16.LIBCMT ref: 0044AE40
                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AEA3
                                  • __freea.LIBCMT ref: 0044AEB0
                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                  • __freea.LIBCMT ref: 0044AEB9
                                  • __freea.LIBCMT ref: 0044AEDE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                  • String ID:
                                  • API String ID: 3864826663-0
                                  • Opcode ID: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                                  • Instruction ID: de232b2c18f644b0009b05ef7aad101f1c584e700cc6948cb3d999d9ae9be8cc
                                  • Opcode Fuzzy Hash: 276b4224ba7534166915209a775ab474993eb6b0505c2e4c67818911aa509b1e
                                  • Instruction Fuzzy Hash: 41514C72A80206AFFB258F64CC41EBF77A9DB44750F25462EFC14D7240EB38DC60869A
                                  Function 004199DB Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendInput.USER32 ref: 00419A25
                                  • SendInput.USER32(00000001,?,0000001C,00000000), ref: 00419A4D
                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A74
                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419A92
                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AB2
                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AD7
                                  • SendInput.USER32(00000001,0000001C,0000001C), ref: 00419AF9
                                  • SendInput.USER32(00000001,00000000,0000001C), ref: 00419B1C
                                    • Part of subcall function 004199CE: MapVirtualKeyA.USER32(00000000,00000000), ref: 004199D4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InputSend$Virtual
                                  • String ID:
                                  • API String ID: 1167301434-0
                                  • Opcode ID: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                  • Instruction ID: b6cba15de7ba168fc32b54cb564de1fb898aed6d56f2455a0f9f7e0387a20004
                                  • Opcode Fuzzy Hash: fc4380392ba50379eb6d472fb1d17d58296046c22f58e77cb3b57b5de18c14a3
                                  • Instruction Fuzzy Hash: 2431AE71218349A9E220DFA5DC41BDFBBECAF89B44F04080FF58457291CAA49D8C876B
                                  Function 004475F1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __freea$__alloca_probe_16_free
                                  • String ID: a/p$am/pm$h{D
                                  • API String ID: 2936374016-2303565833
                                  • Opcode ID: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                                  • Instruction ID: c225e1f32c331ede1d29eb10815d0f52c76e58365e66366979e06629ded2ae5c
                                  • Opcode Fuzzy Hash: fd6751c856b69d551333f65899c140b2c90fb7d01a30c867c2f4d7dd71cdc8bb
                                  • Instruction Fuzzy Hash: 94D1E1719082068AFB299F68C845ABFB7B1EF05300F28455BE501AB351D73D9E43CBA9
                                  Function 00444D7C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                  • _free.LIBCMT ref: 00444E87
                                  • _free.LIBCMT ref: 00444E9E
                                  • _free.LIBCMT ref: 00444EBD
                                  • _free.LIBCMT ref: 00444ED8
                                  • _free.LIBCMT ref: 00444EEF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$AllocateHeap
                                  • String ID: KED
                                  • API String ID: 3033488037-2133951994
                                  • Opcode ID: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                                  • Instruction ID: 6eb5fd97c930506827bd935ec23fdf2bd7e2f8155051dcdfd38a61b70e77380a
                                  • Opcode Fuzzy Hash: bf8f09c86d4ddf62a61791e98d41f8d125843f3e4b01e4d539fef815b17f4b11
                                  • Instruction Fuzzy Hash: 2351B371A00604ABEB20DF29CC42B6B77F4FF89724B25456EE809D7751E739E901CB98
                                  Function 00413A90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413AF7
                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00413B26
                                  • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00413BC6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Enum$InfoQueryValue
                                  • String ID: [regsplt]$xUG$TG
                                  • API String ID: 3554306468-1165877943
                                  • Opcode ID: 6129f07ca8e649aa684d27b9dba7dc75c53e511e8a381502f1a2dc1ed25c8145
                                  • Instruction ID: 25111a67c66830bda9a991cbd11294aa9b1843c944dfd5f4caafe5fa1545c2ae
                                  • Opcode Fuzzy Hash: 6129f07ca8e649aa684d27b9dba7dc75c53e511e8a381502f1a2dc1ed25c8145
                                  • Instruction Fuzzy Hash: 05512D71900219AADB11EB95DC86EEEB77DAF04305F10007AE505B6191EF746B48CBA9
                                  Function 0044B43C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044BBB1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044B47E
                                  • __fassign.LIBCMT ref: 0044B4F9
                                  • __fassign.LIBCMT ref: 0044B514
                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B53A
                                  • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B559
                                  • WriteFile.KERNEL32(?,?,00000001,0044BBB1,00000000,?,?,?,?,?,?,?,?,?,0044BBB1,?), ref: 0044B592
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                  • String ID:
                                  • API String ID: 1324828854-0
                                  • Opcode ID: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                  • Instruction ID: 262f0c9efa3d8d05c94b564727faad167cb6e35c827a04fe4b8fb241bd644287
                                  • Opcode Fuzzy Hash: 311db8d3e4a1a0a231de64f74e89b34bd80b314b172ec9a4a2cdea1eea97895d
                                  • Instruction Fuzzy Hash: 2151B470A00249AFDB10CFA8D845AEEFBF8EF09304F14456BE955E7291E734D941CBA9
                                  Function 0040BF24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004135E1: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00413605
                                    • Part of subcall function 004135E1: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00413622
                                    • Part of subcall function 004135E1: RegCloseKey.KERNEL32(?), ref: 0041362D
                                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BFA6
                                  • PathFileExistsA.SHLWAPI(?), ref: 0040BFB3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                  • API String ID: 1133728706-4073444585
                                  • Opcode ID: e02571ccf1d8d7642eb7522d4ecac0f64e4039cdab1393baceb5a006cb27889d
                                  • Instruction ID: a06d8339010b4a31413dea3cf8b7af81beee50618fccc2c871009a62ab4f9f33
                                  • Opcode Fuzzy Hash: e02571ccf1d8d7642eb7522d4ecac0f64e4039cdab1393baceb5a006cb27889d
                                  • Instruction Fuzzy Hash: BC215230A40219A6CB14F7F1CC969EE77299F50744F80017FE502B71D1EB7D6945C6DA
                                  Function 00456BD3 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                                  • Instruction ID: d4e598e7927038c57750db0ba161657e9615562456f8c919f0676739ef068bdb
                                  • Opcode Fuzzy Hash: 4464324db8c5353dfe5ce51150f621231adbafcb5ed67c6bb2f14fac2072150c
                                  • Instruction Fuzzy Hash: 931127B2504214BBEB216F768C05D1F7A5CEB86726B52062EFD55C7292DA3CCC0186A8
                                  Function 0041B411 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B438
                                  • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B44E
                                  • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B467
                                  • InternetCloseHandle.WININET(00000000), ref: 0041B4AD
                                  • InternetCloseHandle.WININET(00000000), ref: 0041B4B0
                                  Strings
                                  • http://geoplugin.net/json.gp, xrefs: 0041B448
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Internet$CloseHandleOpen$FileRead
                                  • String ID: http://geoplugin.net/json.gp
                                  • API String ID: 3121278467-91888290
                                  • Opcode ID: cc18b0f60563c6ad6f9a26d76095e6aabadcdc754726bec99fffa54df7cc8bd2
                                  • Instruction ID: e320c318363c88f1c040182635621d8729538b68a2f0080144892bf513bd3cc2
                                  • Opcode Fuzzy Hash: cc18b0f60563c6ad6f9a26d76095e6aabadcdc754726bec99fffa54df7cc8bd2
                                  • Instruction Fuzzy Hash: 011198311053126BD224AB269C49EBF7F9CEF86765F10043EF945A2282DB689C44C6FA
                                  Function 00450F7A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00450CC1: _free.LIBCMT ref: 00450CEA
                                  • _free.LIBCMT ref: 00450FC8
                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                  • _free.LIBCMT ref: 00450FD3
                                  • _free.LIBCMT ref: 00450FDE
                                  • _free.LIBCMT ref: 00451032
                                  • _free.LIBCMT ref: 0045103D
                                  • _free.LIBCMT ref: 00451048
                                  • _free.LIBCMT ref: 00451053
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                  • Instruction ID: 345e916fd15b447c36d88a7a8914fd19e4c3e0710e9d23c2e9f19f8556552687
                                  • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                                  • Instruction Fuzzy Hash: C111D231402704AAE621BB72CC03FCB779CAF03304F454D2EBEA967153C7ACB4185654
                                  Function 0041119E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004111AB
                                  • int.LIBCPMT ref: 004111BE
                                    • Part of subcall function 0040E0FC: std::_Lockit::_Lockit.LIBCPMT ref: 0040E10D
                                    • Part of subcall function 0040E0FC: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E127
                                  • std::_Facet_Register.LIBCPMT ref: 004111FE
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00411207
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00411225
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                  • String ID: (mG
                                  • API String ID: 2536120697-4059303827
                                  • Opcode ID: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                  • Instruction ID: b4facbf35e110c19f3eede998f69f9310dce987b63f856d60fe44c7d5fb17b17
                                  • Opcode Fuzzy Hash: 1b5c7adf1a629fe2bc242511ea8b9d41abd54e1fd7f2f3a966b13196985dc313
                                  • Instruction Fuzzy Hash: 42112732900114A7CB14EB9AD8018DEB7699F44364F11456FF904F72E1DB789E45CBC8
                                  Function 0043A3DA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,0043A3D1,0043933E), ref: 0043A3E8
                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A3F6
                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40F
                                  • SetLastError.KERNEL32(00000000,?,0043A3D1,0043933E), ref: 0043A461
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastValue___vcrt_
                                  • String ID:
                                  • API String ID: 3852720340-0
                                  • Opcode ID: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                  • Instruction ID: 228fd8bb196f6ae1284969ba5442ea73dc67404c1df350b3d70410c0baad6fb0
                                  • Opcode Fuzzy Hash: 786e665d26cf754d1d2cf441f113ccf6d654ddd054b4af6544b9cbcea7eecff9
                                  • Instruction Fuzzy Hash: 87019C322483515EA61027797C8A62B2648EB293B9F30523FF518805F1EF984C90910D
                                  Function 004075EB Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                  Download Yara Rule
                                  APIs
                                  • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe), ref: 0040760B
                                    • Part of subcall function 00407538: _wcslen.LIBCMT ref: 0040755C
                                    • Part of subcall function 00407538: CoGetObject.OLE32(?,00000024,00466528,00000000), ref: 004075BD
                                  • CoUninitialize.OLE32 ref: 00407664
                                  Strings
                                  • [+] ucmCMLuaUtilShellExecMethod, xrefs: 004075F0
                                  • [+] before ShellExec, xrefs: 0040762C
                                  • [+] ShellExec success, xrefs: 00407649
                                  • C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe, xrefs: 004075EB, 004075EE, 00407640
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InitializeObjectUninitialize_wcslen
                                  • String ID: C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                  • API String ID: 3851391207-3286116333
                                  • Opcode ID: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                  • Instruction ID: e4e7d1672fbddd81374e29e92f863be8f9bad83f72bb7a306ddb251afa86686e
                                  • Opcode Fuzzy Hash: d877cea0863f9d3afa12868748af2f8600b5022738d517222c004e226c4c5a05
                                  • Instruction Fuzzy Hash: 4501D272B087116BE2246B65DC4AF6B3748DB41B25F11053FF901A62C1EAB9FC0146AB
                                  Function 0040BADC Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BB18
                                  • GetLastError.KERNEL32 ref: 0040BB22
                                  Strings
                                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAE3
                                  • [Chrome Cookies not found], xrefs: 0040BB3C
                                  • [Chrome Cookies found, cleared!], xrefs: 0040BB48
                                  • UserProfile, xrefs: 0040BAE8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteErrorFileLast
                                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                  • API String ID: 2018770650-304995407
                                  • Opcode ID: 40cbd1d017226246a01c6e55be9682f761922b1e96e2188b9bd7b4daff8d9f2f
                                  • Instruction ID: 5dee569c6883bfd73109a670bb68234af0f28e4caad238985ba957b2c74b96e7
                                  • Opcode Fuzzy Hash: 40cbd1d017226246a01c6e55be9682f761922b1e96e2188b9bd7b4daff8d9f2f
                                  • Instruction Fuzzy Hash: 5B01DF71A402055BCA04B7B6CC1B9BE7B24E922704B50017FF502726D6FE3E5D0986CE
                                  Function 0041AE51 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041AE83
                                  • PlaySoundW.WINMM(00000000,00000000), ref: 0041AE91
                                  • Sleep.KERNEL32(00002710), ref: 0041AE98
                                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AEA1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: PlaySound$HandleLocalModuleSleepTime
                                  • String ID: Alarm triggered$`#v
                                  • API String ID: 614609389-3049340936
                                  • Opcode ID: 7392df8db2022c5dabbdd0a7ddbeb5ff2cdfd3fc416767bfd221d1b9e2b6ff7c
                                  • Instruction ID: 264e31dd7f8ae4a58c3cd97330858728e5483d82e525179ed11d996d756d41c5
                                  • Opcode Fuzzy Hash: 7392df8db2022c5dabbdd0a7ddbeb5ff2cdfd3fc416767bfd221d1b9e2b6ff7c
                                  • Instruction Fuzzy Hash: 3EE0D826A40220779A10337B6D0FD6F3D29CAC3B2570100BFFA05660C2DD540C01C6FB
                                  Function 0043AB5C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                  Download Yara Rule
                                  APIs
                                  • __allrem.LIBCMT ref: 0043ACE9
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD05
                                  • __allrem.LIBCMT ref: 0043AD1C
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD3A
                                  • __allrem.LIBCMT ref: 0043AD51
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AD6F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                  • String ID:
                                  • API String ID: 1992179935-0
                                  • Opcode ID: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                  • Instruction ID: c7cd181284538591ee8af1586cca3d38175ba7b34bac8e5aa56d350f01832762
                                  • Opcode Fuzzy Hash: 3b7debe300bd30616e6d17b60b5e1d5511deed8aaa3e59a787e888dcedb96ab2
                                  • Instruction Fuzzy Hash: 5F815972A40B05ABE7209F29CC41B6FB3A99F48324F24152FF591D67C1E77CE910875A
                                  Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00000000,0040D29D), ref: 004044C4
                                    • Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: H_prologSleep
                                  • String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
                                  • API String ID: 3469354165-3054508432
                                  • Opcode ID: fef66e343663587799a4fb7e411b7be832f70b8e55665d4bb62892141d3c40a9
                                  • Instruction ID: df1e58e957a7578ae16e417911435538e3341edc64810737793f4aa4f8849b6c
                                  • Opcode Fuzzy Hash: fef66e343663587799a4fb7e411b7be832f70b8e55665d4bb62892141d3c40a9
                                  • Instruction Fuzzy Hash: A751E171A042106BCA14FB369D0A66E3755ABC4748F00443FFA0A676E2DF7D8E45839E
                                  Function 00411D39 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 004117D7: SetLastError.KERNEL32(0000000D,00411D57,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 004117DD
                                  • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411D72
                                  • GetNativeSystemInfo.KERNEL32(?,0040D2DD,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411D35), ref: 00411DE0
                                  • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411E04
                                    • Part of subcall function 00411CDE: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411E22,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CEE
                                  • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E4B
                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E52
                                  • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F65
                                    • Part of subcall function 004120B2: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F72,?,?,?,?,?), ref: 00412122
                                    • Part of subcall function 004120B2: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00412129
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                                  • String ID:
                                  • API String ID: 3950776272-0
                                  • Opcode ID: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                  • Instruction ID: da58ab861bd0a84ec3871346ef31e8b8814b9d9500880b3a3e1890ad13292c25
                                  • Opcode Fuzzy Hash: 718d42136e622159178195cb0efe2cc12f9c08079781f225a480952b3bcd75f7
                                  • Instruction Fuzzy Hash: F761A270700611ABCB209F66C981BAA7BA5AF44704F14411AFF05877A2D77CE8C2CBD9
                                  Function 0044597A Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __cftoe
                                  • String ID:
                                  • API String ID: 4189289331-0
                                  • Opcode ID: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                                  • Instruction ID: b93b8478136607885b926496a305f1bfb884a7f6acf724e610c81469f19cb9e5
                                  • Opcode Fuzzy Hash: df708042516445aa89903c6330052172adb2df4233c064de01baf1be20d0a2ef
                                  • Instruction Fuzzy Hash: 2551FD72500605ABFF209B598C81EAF77A8EF45334F25421FF915A6293DB3DD900C66D
                                  Function 0041AD09 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD19
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A41F,00000000), ref: 0041AD2D
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD3A
                                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A41F,00000000), ref: 0041AD6F
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD81
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A41F,00000000), ref: 0041AD84
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                  • String ID:
                                  • API String ID: 493672254-0
                                  • Opcode ID: 465ab7c2e076ec59a8d270df8ce72ad0174e5281a4bfe7e39c5caa5367581a5e
                                  • Instruction ID: 77e668261cf9ee2bd18e5a0e87596c089765e66a1be6d3c981f75cbf7ed2a716
                                  • Opcode Fuzzy Hash: 465ab7c2e076ec59a8d270df8ce72ad0174e5281a4bfe7e39c5caa5367581a5e
                                  • Instruction Fuzzy Hash: A7016D311462157AD6111B34AC4EFFB3B6CDB02772F10032BF625965D1DA68CE8195AB
                                  Function 00448295 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(00000020,?,0043A875,?,?,?,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B), ref: 00448299
                                  • _free.LIBCMT ref: 004482CC
                                  • _free.LIBCMT ref: 004482F4
                                  • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 00448301
                                  • SetLastError.KERNEL32(00000000,0043F9F8,?,?,00000020,00000000,?,?,?,0042DD92,0000003B,?,00000041,00000000,00000000), ref: 0044830D
                                  • _abort.LIBCMT ref: 00448313
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$_free$_abort
                                  • String ID:
                                  • API String ID: 3160817290-0
                                  • Opcode ID: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                  • Instruction ID: 8d34d3ffa9a8a5ca7629c839d325bdddc3ef58a145117f7ac1d0225592351e3a
                                  • Opcode Fuzzy Hash: 0dc6b6a3e4ae5b17dec3dccad88ee1f92140bcc2d5108ccd544116d6be2417e2
                                  • Instruction Fuzzy Hash: 8EF0A435101B006BF611772A6C06B6F26599BD3B69F36042FFD18962D2EF6DCC42816D
                                  Function 0041AB37 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB46
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB5A
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB67
                                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB76
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB88
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A6B4,00000000), ref: 0041AB8B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ControlManager
                                  • String ID:
                                  • API String ID: 221034970-0
                                  • Opcode ID: f94ae9c5674c9adfc346e263051d54d626d5e40d867c234dda8e9c50f9d09011
                                  • Instruction ID: 443f58cffa4f299642b313368f914f767bd977a6fac550f0ec2f38f013616b5a
                                  • Opcode Fuzzy Hash: f94ae9c5674c9adfc346e263051d54d626d5e40d867c234dda8e9c50f9d09011
                                  • Instruction Fuzzy Hash: E4F0F631541318BBD7116F259C49DFF3B6CDB45B62F000026FE0992192EB68DD4595F9
                                  Function 0041AC3B Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC4A
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC5E
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC6B
                                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC7A
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8C
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A634,00000000), ref: 0041AC8F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ControlManager
                                  • String ID:
                                  • API String ID: 221034970-0
                                  • Opcode ID: 497ef82d1474d54709910eeaca97da118b40a23fe9dfeecc14ddd5be20b51566
                                  • Instruction ID: 80b71cf000cc834045a6d48b23744411b71cc7e49355023a2f572df053a73ec4
                                  • Opcode Fuzzy Hash: 497ef82d1474d54709910eeaca97da118b40a23fe9dfeecc14ddd5be20b51566
                                  • Instruction Fuzzy Hash: 73F0C231501218ABD611AF65AC4AEFF3B6CDB45B62F00002AFE0992192EB38CD4595E9
                                  Function 0041ACA2 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACB1
                                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACC5
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACD2
                                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACE1
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF3
                                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5B4,00000000), ref: 0041ACF6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Service$CloseHandle$Open$ControlManager
                                  • String ID:
                                  • API String ID: 221034970-0
                                  • Opcode ID: cf41fc214d4f8651c842d323f4a9434d7ee1c2a315675ff23975f89e6a089888
                                  • Instruction ID: 4c72e2560426042a93d841201029be6eaa37955ba2c7d49e75f16ae618c5df44
                                  • Opcode Fuzzy Hash: cf41fc214d4f8651c842d323f4a9434d7ee1c2a315675ff23975f89e6a089888
                                  • Instruction Fuzzy Hash: 85F0F631501228BBD7116F25AC49DFF3B6CDB45B62F00002AFE0992192EB38CD46A6F9
                                  Function 00415B25 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 163COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CountEventTick
                                  • String ID: !D@$,aF$NG
                                  • API String ID: 180926312-2771706352
                                  • Opcode ID: 8d1923479cacbc34f83a544ec5835a1411f1c8a0dee8a7d2746b66dcfc5bfbac
                                  • Instruction ID: 3ac9408315e1e6036cedb879f74fb80cbd33a95067926c5a5f9e9f7d680cff10
                                  • Opcode Fuzzy Hash: 8d1923479cacbc34f83a544ec5835a1411f1c8a0dee8a7d2746b66dcfc5bfbac
                                  • Instruction Fuzzy Hash: 3E51A5315082019AC724FB32D852AFF73A5AF94304F50483FF54A671E2EF3C5945C68A
                                  Function 004434D5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe,00000104), ref: 00443515
                                  • _free.LIBCMT ref: 004435E0
                                  • _free.LIBCMT ref: 004435EA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$FileModuleName
                                  • String ID: @)U$C:\Users\user\Desktop\172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exe
                                  • API String ID: 2506810119-1732542722
                                  • Opcode ID: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                  • Instruction ID: e5efe6401a3e5f1db0e1141fbbc5a3d1caea7301f6195c2e8eaff0a3f5655f7e
                                  • Opcode Fuzzy Hash: 85df99244543f45e80e68b9da345e50485f416d8f0a3fa02bb076d818d98866e
                                  • Instruction Fuzzy Hash: D63193B1A00254BFEB21DF9A998199EBBF8EB84B15F10406BF40597311D6B88F41CB99
                                  Function 00443B52 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: H'V
                                  • API String ID: 0-3641000910
                                  • Opcode ID: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                  • Instruction ID: 437de9af4247593539f95cdbb70b1dc5411192884b5f12beac7b10196549b189
                                  • Opcode Fuzzy Hash: d36049e99d51c5662ea1cdccde7f001ca18baa555cb14a41c95be32ad22d597f
                                  • Instruction Fuzzy Hash: CB01ADB26096527ABA202E796CC5E27634CDB42BBA335037BF821512E3DF68DE054169
                                  Function 0041D5A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegisterClassExA.USER32(00000030), ref: 0041D5EC
                                  • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041D607
                                  • GetLastError.KERNEL32 ref: 0041D611
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ClassCreateErrorLastRegisterWindow
                                  • String ID: 0$MsgWindowClass
                                  • API String ID: 2877667751-2410386613
                                  • Opcode ID: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                  • Instruction ID: e808ecd18ef19f47bd472c0c6462b34ef8490c58390ad3ae495a6aa035ed2a4b
                                  • Opcode Fuzzy Hash: 722de5e8388a8877474a119f468a3301e062738380f3873f65828015e8b741e1
                                  • Instruction Fuzzy Hash: 1F0125B1D00219ABDB00DFA5EC849EFBBBCEA08355F40453AF914A6241EB7589058AA4
                                  Function 00407790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004077D6
                                  • CloseHandle.KERNEL32(?), ref: 004077E5
                                  • CloseHandle.KERNEL32(?), ref: 004077EA
                                  Strings
                                  • C:\Windows\System32\cmd.exe, xrefs: 004077D1
                                  • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004077CC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseHandle$CreateProcess
                                  • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                  • API String ID: 2922976086-4183131282
                                  • Opcode ID: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                  • Instruction ID: 1887ccd63cb29ce90d3c4a9dee080bc6fb52b3336ad705aa4023eed0db3a7680
                                  • Opcode Fuzzy Hash: c38a1c4fbaf06b70ee3143182280ce63ac5342037887d892980c2b2f1eb259a7
                                  • Instruction Fuzzy Hash: 04F09672D4029C76CB20ABD7AC0EEDF7F3CEBC5B11F00051AF904A2045DA745400CAB5
                                  Function 004433DA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 004433FA
                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044340D
                                  • FreeLibrary.KERNEL32(00000000,?,?,?,0044338B,?,?,0044332B,?), ref: 00443430
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                  • Instruction ID: d7bd46dfab834bb5d48edea7818df211002af85bf4a2e706b61bd78119be3437
                                  • Opcode Fuzzy Hash: ffd65e2a986ef432bd98aae630379cdfc9b477bc787d361fad657d5437817096
                                  • Instruction Fuzzy Hash: 4EF04931900208FBDB159F65DC45B9EBF74EF04753F0040A5F805A2251DB758E40CA99
                                  Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
                                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405140
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                  • String ID: KeepAlive | Disabled
                                  • API String ID: 2993684571-305739064
                                  • Opcode ID: 79b17cb61ca097f2dd87540d91e49b40a86234966918d688794a6c742f2a43ed
                                  • Instruction ID: dc79248355977efa3495ea8e96f68553e1f2867eb32bbe7dc6984d352a193ca4
                                  • Opcode Fuzzy Hash: 79b17cb61ca097f2dd87540d91e49b40a86234966918d688794a6c742f2a43ed
                                  • Instruction Fuzzy Hash: 5DF06D71904711BBDB203B758D0AAAB7E95AB06315F0009BEF982916E2D6798C408F9A
                                  Function 0041CDE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CE7E), ref: 0041CDF3
                                  • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE00
                                  • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041CE7E), ref: 0041CE0D
                                  • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041CE7E), ref: 0041CE20
                                  Strings
                                  • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CE13
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                                  • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                  • API String ID: 3024135584-2418719853
                                  • Opcode ID: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                  • Instruction ID: 3099d3b49c49d1df3d44327ff87017ee7d1b0803ff7cdb2815dc6b7c28d9377e
                                  • Opcode Fuzzy Hash: e39debb9b2b39d29e793f9bd33498d8add4ef2108ba1fa2e7e75c33182c8a1d6
                                  • Instruction Fuzzy Hash: B6E04872504315E7E31027B5EC4DCAB7B7CE745613B100266FA16915D39A749C41C6B5
                                  Function 004413EA Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                  • Instruction ID: 15e211ccade7fc2a5debfa8ad78d9bfa955d5b29a73147504924d067d3782226
                                  • Opcode Fuzzy Hash: 52d86c3ce57e0cfe0599c5a04198a87027602046587802b200418d3fba34e127
                                  • Instruction Fuzzy Hash: 2771D4319012569BEB21CF55C884AFFBB75EF55310F19412BE815672A0DB78CCC1CBA8
                                  Function 004493E5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F244), ref: 0044944F
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 004494C7
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 004494F4
                                  • _free.LIBCMT ref: 0044943D
                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                  • _free.LIBCMT ref: 00449609
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                  • String ID:
                                  • API String ID: 1286116820-0
                                  • Opcode ID: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                  • Instruction ID: 45cf5ea20785abb2a7eec221213eb08c1b8584214e6df16efc40294c4842d026
                                  • Opcode Fuzzy Hash: 5cd2e88b37ead4a53a3ad7e2b8222e2e62bf3e8d34a7aba608fbabac987024fa
                                  • Instruction Fuzzy Hash: 1B51EC71900205ABEB14EF69DD819AFB7B8EF44724F20066FE418D3291EB789D41DB58
                                  Function 0040F938 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041C048: GetCurrentProcess.KERNEL32(?,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C059
                                    • Part of subcall function 0041C048: IsWow64Process.KERNEL32(00000000,?,?,0040DAE5,WinDir,00000000,00000000), ref: 0041C060
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F956
                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0040F97A
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F989
                                  • CloseHandle.KERNEL32(00000000), ref: 0040FB40
                                    • Part of subcall function 0041C076: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F634,00000000,?,?,00475338), ref: 0041C08B
                                    • Part of subcall function 0041C076: IsWow64Process.KERNEL32(00000000,?,?,?,00475338), ref: 0041C096
                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                    • Part of subcall function 0041C26E: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FB31
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 2180151492-0
                                  • Opcode ID: b612a60f51ba30386d7e6c27c988ec9eea2298f46b4f956bf04d12ed4463d939
                                  • Instruction ID: d02cab962e177bd28921c4f9a71df23b762ba7d31cecf8da060328e0f3db66c6
                                  • Opcode Fuzzy Hash: b612a60f51ba30386d7e6c27c988ec9eea2298f46b4f956bf04d12ed4463d939
                                  • Instruction Fuzzy Hash: 5F4136311083419BC325F722DC51AEFB3A5AF94305F50493EF58A921E2EF385A49C65A
                                  Function 00443E99 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                  • Instruction ID: bbec49e9ccdd5c2af131aecc9b6810ea24321c3eb42f74c08fbdd36582e243a3
                                  • Opcode Fuzzy Hash: 1c82e8231a1e7df7fc61a9fb39ee41d92c56425fa3e393906510b0ca3dcf776a
                                  • Instruction Fuzzy Hash: 5F41E232E00200AFEB14DF78C881A5EB3B5EF89B18F1545AEE915EB351D735AE05CB84
                                  Function 004511AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92), ref: 004511F9
                                  • __alloca_probe_16.LIBCMT ref: 00451231
                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD92,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?), ref: 00451282
                                  • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD92,0042DD92,?,00000002,00000000), ref: 00451294
                                  • __freea.LIBCMT ref: 0045129D
                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                  • String ID:
                                  • API String ID: 313313983-0
                                  • Opcode ID: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                                  • Instruction ID: f723c28c07ecd650b398e20bb728631ced1c531215915adb10fa1f31571a6cea
                                  • Opcode Fuzzy Hash: 505ad9812f568066b07f0fb8a09e4f725dd1d0495a5b090eb77152ea1c2fabb2
                                  • Instruction Fuzzy Hash: F7310331A0020AABDF249F65DC41EAF7BA5EB04701F0445AAFC08E72A2E739CC55CB94
                                  Function 0044F3DA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E3
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F406
                                    • Part of subcall function 004461B8: RtlAllocateHeap.NTDLL(00000000,00435329,?,?,004388C7,?,?,00000000,?,?,0040DE9D,00435329,?,?,?,?), ref: 004461EA
                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F42C
                                  • _free.LIBCMT ref: 0044F43F
                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F44E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                  • String ID:
                                  • API String ID: 336800556-0
                                  • Opcode ID: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                                  • Instruction ID: b6d7bf627ac8e1e23e8e90154f8049d5dc13ee9613ce4caf203d647ba434722a
                                  • Opcode Fuzzy Hash: bd5b513fc8b609e28947bb0fbcaa4a85653cdf481583ed06f966610d709b3706
                                  • Instruction Fuzzy Hash: 2401DF72602721BF37211ABB5C8DC7F6AACDEC6FA5355013AFD04D2202DE688D0691B9
                                  Function 00448319 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,00000000,00000000,0043BCD6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044831E
                                  • _free.LIBCMT ref: 00448353
                                  • _free.LIBCMT ref: 0044837A
                                  • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448387
                                  • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448390
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLast$_free
                                  • String ID:
                                  • API String ID: 3170660625-0
                                  • Opcode ID: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                  • Instruction ID: 5af5a014564f127a9d6b3613d5887cb4baea3ca98ff5bc54bcf39f1731b7af1a
                                  • Opcode Fuzzy Hash: 9e58827e066efea2178fd81b79d5a13276d1a5d22b614d366fbfb6265f5784d7
                                  • Instruction Fuzzy Hash: 3401F936100B006BB7117A2A5C45E6F3259DBD2B75B35093FFD1892292EF7ECC02812D
                                  Function 0041C26E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C286
                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C299
                                  • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041C2B9
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2C4
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041C2CC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CloseHandleOpen$FileImageName
                                  • String ID:
                                  • API String ID: 2951400881-0
                                  • Opcode ID: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                  • Instruction ID: 82f86893bb8475317186349f6084970b7a3011258d8579340058f5d8518f4318
                                  • Opcode Fuzzy Hash: e1074fac5642d3b73ea46f905cbac139ffb473db2c7b30d838fbef5372722d9f
                                  • Instruction Fuzzy Hash: 9C01F231680215ABD61066949C8AFA7B66C8B84756F0001ABFA08D22A2EF74CD81466A
                                  Function 00450A3C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00450A54
                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                  • _free.LIBCMT ref: 00450A66
                                  • _free.LIBCMT ref: 00450A78
                                  • _free.LIBCMT ref: 00450A8A
                                  • _free.LIBCMT ref: 00450A9C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                  • Instruction ID: 72fff71e7c38304dd33e0b5962bcef44c8ad6e5fbb3f6de42623dcf71f8de19c
                                  • Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
                                  • Instruction Fuzzy Hash: F7F012765053006B9620EB5DE883C1773D9EA157117A68C1BF549DB652C778FCC0866C
                                  Function 004440E8 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 00444106
                                    • Part of subcall function 00446802: HeapFree.KERNEL32(00000000,00000000,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?), ref: 00446818
                                    • Part of subcall function 00446802: GetLastError.KERNEL32(?,?,00450CEF,?,00000000,?,00000000,?,00450F93,?,00000007,?,?,004514DE,?,?), ref: 0044682A
                                  • _free.LIBCMT ref: 00444118
                                  • _free.LIBCMT ref: 0044412B
                                  • _free.LIBCMT ref: 0044413C
                                  • _free.LIBCMT ref: 0044414D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free$ErrorFreeHeapLast
                                  • String ID:
                                  • API String ID: 776569668-0
                                  • Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                  • Instruction ID: 0e9c2896d1a2baf17e4b980eca3efa8a556ca0a6e45d827b59e8921ed08f8926
                                  • Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
                                  • Instruction Fuzzy Hash: 91F03AB18025208FA731AF2DBD528053BA1A705720356853BF40C62A71C7B849C2DFDF
                                  Function 0044E769 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                  Download Yara Rule
                                  APIs
                                  • _strpbrk.LIBCMT ref: 0044E7B8
                                  • _free.LIBCMT ref: 0044E8D5
                                    • Part of subcall function 0043BD68: IsProcessorFeaturePresent.KERNEL32(00000017,0043BD3A,00405103,?,00000000,00000000,004020A6,00000000,00000000,?,0043BD5A,00000000,00000000,00000000,00000000,00000000), ref: 0043BD6A
                                    • Part of subcall function 0043BD68: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD8C
                                    • Part of subcall function 0043BD68: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD93
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                  • String ID: *?$.
                                  • API String ID: 2812119850-3972193922
                                  • Opcode ID: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                  • Instruction ID: bbc13fc8ee10fdca904a4e9292213e09ebfa005f106ef5a16faeda3ce4fd08f7
                                  • Opcode Fuzzy Hash: 425935087bf6a06ef5f668eca0c2840133b7cce1b1476d2e54c501535b2ee598
                                  • Instruction Fuzzy Hash: C251B175E00209AFEF14DFAAC881AAEF7B5FF58314F24416EE844E7341E6399A018B54
                                  Function 00409EDE Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyboardLayoutNameA.USER32(?), ref: 00409F0E
                                    • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                    • Part of subcall function 0041C5A6: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409F96,00474EE0,?,00474EE0,00000000,00474EE0,00000000), ref: 0041C5BB
                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFileKeyboardLayoutNameconnectsend
                                  • String ID: XQG$pW$NG
                                  • API String ID: 1634807452-3421895640
                                  • Opcode ID: ff509887c0297cf051371caae340bc63612711fcf8e22fa12d419fcf8622d445
                                  • Instruction ID: 86122f73fea86c9dce3a8c8dcd7d10d1556e7c038dfd98f63e082762e027ad1b
                                  • Opcode Fuzzy Hash: ff509887c0297cf051371caae340bc63612711fcf8e22fa12d419fcf8622d445
                                  • Instruction Fuzzy Hash: 955120315082419BC328FB32D851AEFB3E5AFD4348F50493FF54AA71E2EF78594A8649
                                  Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066
                                    • Part of subcall function 0041BA09: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00466478,0040D248,.vbs,?,?,?,?,?,004752F0), ref: 0041BA30
                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(004040F5,?,?,004040F5,00465E84), ref: 004185B9
                                    • Part of subcall function 004185A3: CloseHandle.KERNEL32(00465E84,?,?,004040F5,00465E84), ref: 004185C2
                                    • Part of subcall function 0041C516: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                  • Sleep.KERNEL32(000000FA,00465E84), ref: 00404138
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                  • String ID: /sort "Visit Time" /stext "$0NG
                                  • API String ID: 368326130-3219657780
                                  • Opcode ID: 19a75f4089cd682c196d93085774e8610958794b4b53e2c59ee42357a682b9a9
                                  • Instruction ID: 7a7c83aa22bf4ff3424ba87d95d637a61540eed1193ecfb54830ab602693969f
                                  • Opcode Fuzzy Hash: 19a75f4089cd682c196d93085774e8610958794b4b53e2c59ee42357a682b9a9
                                  • Instruction Fuzzy Hash: 2C316371A0011956CB15FBA6DC569ED7375AF90308F00007FF60AB71E2EF785D49CA99
                                  Function 0040B783 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                  • __Init_thread_footer.LIBCMT ref: 0040B7D2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Init_thread_footer__onexit
                                  • String ID: [End of clipboard]$[Text copied to clipboard]$xdF
                                  • API String ID: 1881088180-1310280921
                                  • Opcode ID: 817b4c01eafabb62cefe08f25f435df96e29b2123a05dda1d2c5d8970e98f987
                                  • Instruction ID: 844f446031992ee5170c212df839aebd4a436c67f2956c9e8fe8aff684c3a130
                                  • Opcode Fuzzy Hash: 817b4c01eafabb62cefe08f25f435df96e29b2123a05dda1d2c5d8970e98f987
                                  • Instruction Fuzzy Hash: 30217131A102198ACB14FBA6D8929EDB375AF54318F10443FE505771D2EF786D4ACA8C
                                  Function 0041631F Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • _wcslen.LIBCMT ref: 00416330
                                    • Part of subcall function 004138B2: RegCreateKeyA.ADVAPI32(80000001,00000000,004660B4), ref: 004138C0
                                    • Part of subcall function 004138B2: RegSetValueExA.KERNEL32(004660B4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138DB
                                    • Part of subcall function 004138B2: RegCloseKey.KERNEL32(004660B4,?,?,?,0040C18D,00466C58,00000001,000000AF,004660B4), ref: 004138E6
                                    • Part of subcall function 00409E1F: _wcslen.LIBCMT ref: 00409E38
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _wcslen$CloseCreateValue
                                  • String ID: !D@$okmode$pW
                                  • API String ID: 3411444782-2774523016
                                  • Opcode ID: 32b767abda9d74a658984582e830535edcfbd4fa180c3dcb91f0b96cbdeabe52
                                  • Instruction ID: 097cdf197a66b89fefcd85ce8a19d7acc75244c7017ebd4eb32b8c3ef24b572d
                                  • Opcode Fuzzy Hash: 32b767abda9d74a658984582e830535edcfbd4fa180c3dcb91f0b96cbdeabe52
                                  • Instruction Fuzzy Hash: 1E11A571B442011BDA187B32D862BBD22969F84348F80843FF546AF2E2DFBD4C51975D
                                  Function 0040C627 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040C4FE: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C658
                                  • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C6C3
                                  Strings
                                  • User Data\Default\Network\Cookies, xrefs: 0040C63E
                                  • User Data\Profile ?\Network\Cookies, xrefs: 0040C670
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                  • API String ID: 1174141254-1980882731
                                  • Opcode ID: 2a38480921e4d6be1d5b2529be3b715cdf247bf3a0a1df31f1585b54042120b5
                                  • Instruction ID: a3c4a2fc075df05cc4efb8d324c4514c6f5a9a9113215be8183f294a60e8cc46
                                  • Opcode Fuzzy Hash: 2a38480921e4d6be1d5b2529be3b715cdf247bf3a0a1df31f1585b54042120b5
                                  • Instruction Fuzzy Hash: 0621E27190011A96CB14FBA2DC96DEEBB7CAE50319B40053FF506B31D2EF789946C6D8
                                  Function 0040C6F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040C561: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0040C727
                                  • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040C792
                                  Strings
                                  • User Data\Default\Network\Cookies, xrefs: 0040C70D
                                  • User Data\Profile ?\Network\Cookies, xrefs: 0040C73F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                                  • API String ID: 1174141254-1980882731
                                  • Opcode ID: 48aa145b66dc80a11566b4620fdd9ce13eae5fb2ee34664654c02424daf75182
                                  • Instruction ID: 531025beeaae0c5c42121d483a56170e39db3028f8febaf9efde6b64dfa31b71
                                  • Opcode Fuzzy Hash: 48aa145b66dc80a11566b4620fdd9ce13eae5fb2ee34664654c02424daf75182
                                  • Instruction Fuzzy Hash: 4821127190011A96CB04F7A2DC96CEEBB78AE50359B40013FF506B31D2EF789946C6D8
                                  Function 0040B19F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                  • wsprintfW.USER32 ref: 0040B22E
                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EventLocalTimewsprintf
                                  • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                  • API String ID: 1497725170-1359877963
                                  • Opcode ID: a3905fbfc43fac7a56565b143f4cb0e617564af9bef08e2450f5cad6a16d512e
                                  • Instruction ID: 4bcbbea8953a56f0834a7592719eb704c83d71ae81c48fe005db4fd1b538d991
                                  • Opcode Fuzzy Hash: a3905fbfc43fac7a56565b143f4cb0e617564af9bef08e2450f5cad6a16d512e
                                  • Instruction Fuzzy Hash: 88114272404118AACB19AB96EC55CFE77BCEE48315B00012FF506A61D1FF7C5A45C6AD
                                  Function 0040AF29 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000A2A2,?,00000000,00000000), ref: 0040AFA9
                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000A2C4,?,00000000,00000000), ref: 0040AFB5
                                  • CreateThread.KERNEL32(00000000,00000000,0040A2D0,?,00000000,00000000), ref: 0040AFC1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread$LocalTime$wsprintf
                                  • String ID: Online Keylogger Started
                                  • API String ID: 112202259-1258561607
                                  • Opcode ID: 0fcd38e96aacb40c04b118771990cdae8bba74e61c9056a984dbcae37755a7c2
                                  • Instruction ID: 1fd114496b08e8c1d91a2f23279a740fccf8855fe00c80ef0b78f2cd7c44f0e8
                                  • Opcode Fuzzy Hash: 0fcd38e96aacb40c04b118771990cdae8bba74e61c9056a984dbcae37755a7c2
                                  • Instruction Fuzzy Hash: 2A01C4A07003193EE62076368C8BDBF7A6DCA91398F4004BFF641362C2E97D1C1586FA
                                  Function 00406A9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData), ref: 00406ABD
                                  • GetProcAddress.KERNEL32(00000000), ref: 00406AC4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressLibraryLoadProc
                                  • String ID: CryptUnprotectData$crypt32
                                  • API String ID: 2574300362-2380590389
                                  • Opcode ID: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                  • Instruction ID: 59ed3cbb63f31e38ea488d6bd85f24bb9ff1ce5495ed4d1509158228521d53cd
                                  • Opcode Fuzzy Hash: 905686a6130e311fdcec2a0cd22c75bab7e39712089f0cc697143e337071fc99
                                  • Instruction Fuzzy Hash: 2C01B975604216BBCB18CFAD9D449AF7BB4AB45300B00417EE956E3381DA74E9008B95
                                  Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
                                  • CloseHandle.KERNEL32(?), ref: 004051CA
                                  • SetEvent.KERNEL32(?), ref: 004051D9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseEventHandleObjectSingleWait
                                  • String ID: Connection Timeout
                                  • API String ID: 2055531096-499159329
                                  • Opcode ID: cfa6aba80e3ab73a333b17ef678a4c224e2718187884c1035a1560e2fee3ab95
                                  • Instruction ID: b176daa04f7f78a72cd0d213bf0bcd41e0e3849ccec9e2477ca34bbc74fb9340
                                  • Opcode Fuzzy Hash: cfa6aba80e3ab73a333b17ef678a4c224e2718187884c1035a1560e2fee3ab95
                                  • Instruction Fuzzy Hash: C901F530940F00AFD7216B368D8642BBFE0EF00306704093EE68356AE2D6789800CF89
                                  Function 0040E800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E86E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Exception@8Throw
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2005118841-1866435925
                                  • Opcode ID: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                  • Instruction ID: 287a1f786264602a2f100ba68ee8cd07dacd1bfc9ef62352ff5e55a88b78f620
                                  • Opcode Fuzzy Hash: 393980db8800f491ea7c1a59f80fc085f11d752c19bfb05bf36f8e27219a3784
                                  • Instruction Fuzzy Hash: 59018F626583087AEB14B697CC03FBA33685B10708F10CC3BBD01765C2EA7D6A61C66F
                                  Function 0041384F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041385A
                                  • RegSetValueExW.ADVAPI32(004752D8,?,00000000,00000001,00000000,00000000,004752F0,?,0040F85E,pth_unenc,004752D8), ref: 00413888
                                  • RegCloseKey.ADVAPI32(004752D8,?,0040F85E,pth_unenc,004752D8), ref: 00413893
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseCreateValue
                                  • String ID: pth_unenc
                                  • API String ID: 1818849710-4028850238
                                  • Opcode ID: d69e82d7a202b39eabff8c6d6945ecb801863ff8e3666436e459375cd1f846cd
                                  • Instruction ID: 9133f253890910ff78e8f434c24b82038cc7026402723a24ca4ec17c3e6d8cb5
                                  • Opcode Fuzzy Hash: d69e82d7a202b39eabff8c6d6945ecb801863ff8e3666436e459375cd1f846cd
                                  • Instruction Fuzzy Hash: 15F0C271440218FBCF00AFA1EC45FEE376CEF00756F10452AF905A61A1E7759E04DA94
                                  Function 0040DFE1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040DFEC
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040E02B
                                    • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 004356EC
                                    • Part of subcall function 004356CD: _Yarn.LIBCPMT ref: 00435710
                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040E051
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                  • String ID: bad locale name
                                  • API String ID: 3628047217-1405518554
                                  • Opcode ID: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                  • Instruction ID: 7f9ccd90240ef42149755af47b5df127ed13e8783c268b42739d505c0e35a915
                                  • Opcode Fuzzy Hash: 358b3f1522e08b03a3202c9f95d61a93da44700bf44d5321e5e8d61ced44f7e6
                                  • Instruction Fuzzy Hash: 77F08131544A085AC338FA62D863DDA73B49F14358F50457FB406268D2EF78BA0CCA9D
                                  Function 00413656 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,pW), ref: 00413678
                                  • RegQueryValueExW.ADVAPI32(?,0040F34E,00000000,00000000,?,00000400), ref: 00413697
                                  • RegCloseKey.ADVAPI32(?), ref: 004136A0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID: pW
                                  • API String ID: 3677997916-3683314483
                                  • Opcode ID: cdbe77b62fdb326fa84ed0ef2b451dd3af455626e780c5cb96fc0720a69048d7
                                  • Instruction ID: b2ddc0a972744091932d43abea1e646d3cdf78111d27e2b843060007377f7c4f
                                  • Opcode Fuzzy Hash: cdbe77b62fdb326fa84ed0ef2b451dd3af455626e780c5cb96fc0720a69048d7
                                  • Instruction Fuzzy Hash: B7F04F75600218FBDF209B90DC05FDD7B7CEB04B15F1040A2BA45B5291DB749F949BA8
                                  Function 00416C68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNEL32(00000000,00000000,Function_0001D4EE,00000000,00000000,00000000), ref: 00416C82
                                  • ShowWindow.USER32(00000009), ref: 00416C9C
                                  • SetForegroundWindow.USER32 ref: 00416CA8
                                    • Part of subcall function 0041CE2C: AllocConsole.KERNEL32(00475338), ref: 0041CE35
                                    • Part of subcall function 0041CE2C: GetConsoleWindow.KERNEL32 ref: 0041CE3B
                                    • Part of subcall function 0041CE2C: ShowWindow.USER32(00000000,00000000), ref: 0041CE4E
                                    • Part of subcall function 0041CE2C: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CE73
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Window$Console$Show$AllocCreateForegroundOutputThread
                                  • String ID: !D@
                                  • API String ID: 186401046-604454484
                                  • Opcode ID: dddbeebbe8cb821cdc8b1c7d2847af7eb141aaddcd72dd608c7fa4ca11ce81ef
                                  • Instruction ID: 9f5213224becab59645eda34593d96b16d6ada18beeab21aaf628210512d7754
                                  • Opcode Fuzzy Hash: dddbeebbe8cb821cdc8b1c7d2847af7eb141aaddcd72dd608c7fa4ca11ce81ef
                                  • Instruction Fuzzy Hash: ECF05E70149340EAD720AB62ED45AFA7B69EB54341F01487BF909C20F2DB389C94865E
                                  Function 00416129 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041616B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShell
                                  • String ID: /C $cmd.exe$open
                                  • API String ID: 587946157-3896048727
                                  • Opcode ID: 16ef31fdaf301ba362d07f058173c5de43aaddf50e1ff7222e4b3bcda840a0cd
                                  • Instruction ID: 08f4dee505367bf09000beb2be63de5ecd082ae46aa0e0363999309db21c3e05
                                  • Opcode Fuzzy Hash: 16ef31fdaf301ba362d07f058173c5de43aaddf50e1ff7222e4b3bcda840a0cd
                                  • Instruction Fuzzy Hash: 5EE0C0B0204305ABC605F675DC96CBF73ADAA94749B50483F7142A20E2EF7C9D49C65D
                                  Function 0040B8A4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8B1
                                  • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8DC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteDirectoryFileRemove
                                  • String ID: pth_unenc$xdF
                                  • API String ID: 3325800564-2448381268
                                  • Opcode ID: d40ba35bdc574994431a00040681681ffd5cebc2bb5ef4fca25f9a910d4daf75
                                  • Instruction ID: ee660421d7ec44f6c6eaad5e9e1fc6482a22fb53094cf60c5c3e5a772ac54322
                                  • Opcode Fuzzy Hash: d40ba35bdc574994431a00040681681ffd5cebc2bb5ef4fca25f9a910d4daf75
                                  • Instruction Fuzzy Hash: 5AE04F314006109BC610BB218854AD6335CAB04316F00497BE4A3A35A1DF38AC49D658
                                  Function 0040B8E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • TerminateThread.KERNEL32(0040A2B8,00000000,004752F0,pth_unenc,0040D0F3,004752D8,004752F0,?,pth_unenc), ref: 0040B8F6
                                  • UnhookWindowsHookEx.USER32(004750F0), ref: 0040B902
                                  • TerminateThread.KERNEL32(Function_0000A2A2,00000000,?,pth_unenc), ref: 0040B910
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: TerminateThread$HookUnhookWindows
                                  • String ID: pth_unenc
                                  • API String ID: 3123878439-4028850238
                                  • Opcode ID: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                  • Instruction ID: 372ac16de24f92ae7b862ff59389ff52a9cc8b3ac2037ffe6dc6d1e564519698
                                  • Opcode Fuzzy Hash: e1cbc6e2d6c434028aa849536a2aaf0ad10149223ccd3897ab004e8dbc05b34a
                                  • Instruction Fuzzy Hash: 71E01272204315EFD7201F909C888667AADEE1539632409BEF6C261BB6CB7D4C54C79D
                                  Function 0044A084 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __alldvrm$_strrchr
                                  • String ID:
                                  • API String ID: 1036877536-0
                                  • Opcode ID: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                  • Instruction ID: 8ce1af842cd152cb2b2428f5d584a25f6c9224aafe101b92c03b71ca88d34985
                                  • Opcode Fuzzy Hash: 70c324bd787235ec34b4410bef6e6c487e79153caf11c4279a27308c3ab035ac
                                  • Instruction Fuzzy Hash: 87A156729846829FF721CF58C8817AEBBA5FF15314F2841AFE8859B381D27C8C51C75A
                                  Function 00456C9A Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                  • Instruction ID: 6f8591e81a910498abf0b0e408487d1c0faf04506bf4bd3dd9e850377c22d226
                                  • Opcode Fuzzy Hash: 5a84445a6d60efe319971740dde2d2f541f568e0726df331b0a843d8179482b0
                                  • Instruction Fuzzy Hash: 34413931B00104AAEB207B7A9C4666F3AB5DF45735F570A1FFD28C7293DA7C481D426A
                                  Function 00442851 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                  • Instruction ID: b0a34e1ed6630e1fb57c9e62860a3601010315cd62f19612bff23542d182db60
                                  • Opcode Fuzzy Hash: 423e02715d989b220add50ecbde53982322c6e48bca96a6cd7fe69295545b5c8
                                  • Instruction Fuzzy Hash: 70412AB1600704BFE724AF79CD41B5EBBE8EB88714F10462FF145DB281E3B999058798
                                  Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
                                  • CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DD2
                                  • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00404DDB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                  • String ID:
                                  • API String ID: 3360349984-0
                                  • Opcode ID: 9e0a8eaf4219b775e830663fcb54a959b6233ae16d1ef5de7dcca6256e783451
                                  • Instruction ID: 30d48123e17294c38ae6f490953f1b42a5ca81467cb0df1087f173bd09261e59
                                  • Opcode Fuzzy Hash: 9e0a8eaf4219b775e830663fcb54a959b6233ae16d1ef5de7dcca6256e783451
                                  • Instruction Fuzzy Hash: 684182B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666
                                  Function 0040C047 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  • Cleared browsers logins and cookies., xrefs: 0040C130
                                  • [Cleared browsers logins and cookies.], xrefs: 0040C11F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                  • API String ID: 3472027048-1236744412
                                  • Opcode ID: 1d84a610968c0f989614364af8c032c8251bfa68e213ae620782c32fadd9a619
                                  • Instruction ID: 5a72b8a34604a64e244bad04561a930bad76f77e78bf22f3e088d6afb7384554
                                  • Opcode Fuzzy Hash: 1d84a610968c0f989614364af8c032c8251bfa68e213ae620782c32fadd9a619
                                  • Instruction Fuzzy Hash: A431A805648381EDD6116BF514967AB7B824A53748F0882BFB8C4373C3DA7A4808C79F
                                  Function 00412716 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00413733: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 0041374F
                                    • Part of subcall function 00413733: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00413768
                                    • Part of subcall function 00413733: RegCloseKey.ADVAPI32(00000000), ref: 00413773
                                  • Sleep.KERNEL32(00000BB8), ref: 004127B5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CloseOpenQuerySleepValue
                                  • String ID: 8SG$exepath$xdF
                                  • API String ID: 4119054056-3578471011
                                  • Opcode ID: 01bdf780ec6ac7598780d4fc060e49cfbed0a76d2458a37ef2a8bb80d49c98e5
                                  • Instruction ID: 51bf296395b05d3efeb7b41814c334b1d8e13e95dfba71b8de44539041ec8c28
                                  • Opcode Fuzzy Hash: 01bdf780ec6ac7598780d4fc060e49cfbed0a76d2458a37ef2a8bb80d49c98e5
                                  • Instruction Fuzzy Hash: 3521F4A1B003042BD604B6365D4AAAF724D8B80318F40897FBA56E72D3DFBC9D45826D
                                  Function 0040A564 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0041C5E2: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041C5F2
                                    • Part of subcall function 0041C5E2: GetWindowTextLengthW.USER32(00000000), ref: 0041C5FB
                                    • Part of subcall function 0041C5E2: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041C625
                                  • Sleep.KERNEL32(000001F4), ref: 0040A5AE
                                  • Sleep.KERNEL32(00000064), ref: 0040A638
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Window$SleepText$ForegroundLength
                                  • String ID: [ $ ]
                                  • API String ID: 3309952895-93608704
                                  • Opcode ID: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                  • Instruction ID: 6255842b65d5da3793f092b3f1447ea5db7efb23f61c0c2d19f8aa6a86066f85
                                  • Opcode Fuzzy Hash: f02f1a0373de4d905e268f57495fa08b349ea431ac4d969b5d726f466b44a1dd
                                  • Instruction Fuzzy Hash: CB119F315143006BC614BB26CC579AF77A8AB90348F40083FF552661E3EF79AE18869B
                                  Function 0041B890 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: SystemTimes$Sleep__aulldiv
                                  • String ID:
                                  • API String ID: 188215759-0
                                  • Opcode ID: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                  • Instruction ID: 634937a4cd8d43e921f59083ecd148feda9109121ee8127270144c35be039893
                                  • Opcode Fuzzy Hash: 32d4930cb2be9b30136c829dd369e4a23351f3455ccfda4be26c85d87a7cef4d
                                  • Instruction Fuzzy Hash: D01133B35043456BC304EAB5CD85DEF779CEBC4358F040A3EF64982061EE29E94986A6
                                  Function 00443AD3 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                  • Instruction ID: 2af8e1c260e5220142bf0b5f8a7e988c949d9a3a1697e0ff4d6bcf25ce69da1b
                                  • Opcode Fuzzy Hash: fcebbc467d131149bede3708c03e30a5933a8f2bf6fa192c1d79c37d30f8ae05
                                  • Instruction Fuzzy Hash: 7E01F2B26093557EFA202E786CC2F67630DCB51FBAB31033BB520612D2DB68DD40452C
                                  Function 004485E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue), ref: 00448618
                                  • GetLastError.KERNEL32(?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000,00000364,?,00448367), ref: 00448624
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044858D,00000000,00000000,00000000,00000000,?,004488B9,00000006,FlsSetValue,0045F170,0045F178,00000000), ref: 00448632
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad$ErrorLast
                                  • String ID:
                                  • API String ID: 3177248105-0
                                  • Opcode ID: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                  • Instruction ID: 239c22332ac31c5199b3ba4764290be2907fca328f5d1df1ca03bb1201a614b6
                                  • Opcode Fuzzy Hash: 8f9b5e85c90ff7ccd8dc2bf5dda10acfb836c822a6cf5ef36d60eb5c9189937f
                                  • Instruction Fuzzy Hash: D401FC32602322EBDB618A78EC4495F7758AF15BA2B22093AF909D3241DF24DC01C6EC
                                  Function 0041C516 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A87E), ref: 0041C52F
                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0041C543
                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041C568
                                  • CloseHandle.KERNEL32(00000000), ref: 0041C576
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: File$CloseCreateHandleReadSize
                                  • String ID:
                                  • API String ID: 3919263394-0
                                  • Opcode ID: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                  • Instruction ID: 4673af35f3eeaf13de89ae80f5e83caf65f56e40ae5cb47f4621101913e6d1ef
                                  • Opcode Fuzzy Hash: ea631e93aeae4d86132659a3c821e70bd950fb822780c369254ddbb306c6d1ec
                                  • Instruction Fuzzy Hash: 50F0C2B1241318BFE6101B25ADC9EBB369DDB866A9F10063EF802A22D1DA698D055139
                                  Function 004398E3 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 004398FA
                                    • Part of subcall function 00439F32: ___AdjustPointer.LIBCMT ref: 00439F7C
                                  • _UnwindNestedFrames.LIBCMT ref: 00439911
                                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 00439923
                                  • CallCatchBlock.LIBVCRUNTIME ref: 00439947
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                  • String ID:
                                  • API String ID: 2633735394-0
                                  • Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                  • Instruction ID: 1eef882e9718bbd9a0ab38cd68ce054dbb3f9d4064fa539f417e17899f1f7293
                                  • Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
                                  • Instruction Fuzzy Hash: 38010532000109BBCF125F56CC01EDA3BAAEF5C754F05901AF95865221C3BAE862ABA4
                                  Function 0041941E Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetSystemMetrics.USER32(0000004C), ref: 0041942B
                                  • GetSystemMetrics.USER32(0000004D), ref: 00419431
                                  • GetSystemMetrics.USER32(0000004E), ref: 00419437
                                  • GetSystemMetrics.USER32(0000004F), ref: 0041943D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MetricsSystem
                                  • String ID:
                                  • API String ID: 4116985748-0
                                  • Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                  • Instruction ID: fd4820a3fb0c8fcfb80096478546269f04700e3de9cdf271d69d174aa35805c7
                                  • Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
                                  • Instruction Fuzzy Hash: 3FF0A4B1B043155BD700EE758C51A6B6ADAEBD4364F10043FF60887281EFB8DC468B84
                                  Function 00438FB1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438FB1
                                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438FB6
                                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438FBB
                                    • Part of subcall function 0043A4BA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A4CB
                                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438FD0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                  • String ID:
                                  • API String ID: 1761009282-0
                                  • Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                  • Instruction ID: 3a6c9073cd349407f79861cc5a63413a30b4b1af88e8d748f4708d1390bfb410
                                  • Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
                                  • Instruction Fuzzy Hash: 8DC04C44080381552C50B6B2110B2AF83521C7E38CF9074DFBDD1579474D5D052F553F
                                  Function 0044569C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __alloca_probe_16__freea
                                  • String ID: pW
                                  • API String ID: 1635606685-3683314483
                                  • Opcode ID: da99ce07a65ee8677d8ac93a591fd61b9625802b74d6fe0f1994a45124a5708e
                                  • Instruction ID: d8508cce09ee0c909582ed34c2e37a62d4695ec9c35a5d1c30796301694c113b
                                  • Opcode Fuzzy Hash: da99ce07a65ee8677d8ac93a591fd61b9625802b74d6fe0f1994a45124a5708e
                                  • Instruction Fuzzy Hash: CC41F671A00611ABFF21AB65CC41A5EB7A4DF45714F15456FF809CB282EB3CD8508799
                                  Function 004187AA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
                                  Download Yara Rule
                                  APIs
                                  • GdiplusStartup.GDIPLUS(00474ACC,?,00000000,00000000), ref: 004187FA
                                    • Part of subcall function 004048C8: connect.WS2_32(FFFFFFFF,?,?), ref: 004048E0
                                    • Part of subcall function 00404AA1: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B36
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: GdiplusStartupconnectsend
                                  • String ID: ,aF$NG
                                  • API String ID: 1957403310-2168067942
                                  • Opcode ID: 58f85970f1ba036b998a940dbcf5695eb429ab9dbe0addeb4128eb85be2fdd28
                                  • Instruction ID: 646e85ae029ebb21aec6d49858a727e037fa7bb3a6359959f193cd142bf324ca
                                  • Opcode Fuzzy Hash: 58f85970f1ba036b998a940dbcf5695eb429ab9dbe0addeb4128eb85be2fdd28
                                  • Instruction Fuzzy Hash: 8E41D4713042015BC208FB22D892ABF7396ABC0358F50493FF54A672D2EF7C5D4A869E
                                  Function 00418ACD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                  Download Yara Rule
                                  APIs
                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418AF9
                                    • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                  • SHCreateMemStream.SHLWAPI(00000000), ref: 00418B46
                                    • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                    • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                  • String ID: image/jpeg
                                  • API String ID: 1291196975-3785015651
                                  • Opcode ID: 1a6cd23bb326207906ee55eab088e22a045b333238033622bcf03b289c973c7d
                                  • Instruction ID: 4d0b5c8bb5c89928ccad9adfa1773eea8e0f3015d74a4b244142dc53e7d0f70c
                                  • Opcode Fuzzy Hash: 1a6cd23bb326207906ee55eab088e22a045b333238033622bcf03b289c973c7d
                                  • Instruction Fuzzy Hash: B5316D71604300AFC301EF65C884DAFBBE9EF8A304F00496EF985A7251DB7999048BA6
                                  Function 00451BB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451E12,?,00000050,?,?,?,?,?), ref: 00451C92
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: ACP$OCP
                                  • API String ID: 0-711371036
                                  • Opcode ID: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                  • Instruction ID: 09b953eaa346ea86c897215e5a2a15a508f8bcb16f9b984b1dadcb699cf7d301
                                  • Opcode Fuzzy Hash: 28d359b86f53a769e50845c8979a9c95ba506d3f4f520eddc938968d94c37ac1
                                  • Instruction Fuzzy Hash: E821D862A80204A6DB36CF14C941BAB7266DB54B13F568426ED0AD7322F73BED45C35C
                                  Function 00418BCA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00418BE5
                                    • Part of subcall function 00418691: GdipLoadImageFromStream.GDIPLUS(?,?,?,00418B0C,00000000,?,?,?,?,00000000), ref: 004186A5
                                  • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00418C0A
                                    • Part of subcall function 00418706: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00418B62,00000000,?,?), ref: 00418718
                                    • Part of subcall function 004186B4: GdipDisposeImage.GDIPLUS(?,00418BBD), ref: 004186BD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                  • String ID: image/png
                                  • API String ID: 1291196975-2966254431
                                  • Opcode ID: c053decb124affeca1ca8e7c910363171ca68cdd065e9a4048a61e85df625b55
                                  • Instruction ID: 3c300d9a249dbea914adbc87700f03e6b767f6cab6163cd9bde1f728fb98d86d
                                  • Opcode Fuzzy Hash: c053decb124affeca1ca8e7c910363171ca68cdd065e9a4048a61e85df625b55
                                  • Instruction Fuzzy Hash: ED219071204211AFC701AB61CC88CBFBBACEFCA754F10052EF54693261DB399955CBA6
                                  Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405030
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  • GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415D04,?,00000001,0000004C,00000000), ref: 00405087
                                  Strings
                                  • KeepAlive | Enabled | Timeout: , xrefs: 0040501F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocalTime
                                  • String ID: KeepAlive | Enabled | Timeout:
                                  • API String ID: 481472006-1507639952
                                  • Opcode ID: 88bc6abef2036a94c41ea4afde5572064ad21bcafcbd622e37c2bb368cee5363
                                  • Instruction ID: e3b05ee6596aa2f5bef7afedc99ae4e94a3de8d8e2082a6dce2ef35069f0368d
                                  • Opcode Fuzzy Hash: 88bc6abef2036a94c41ea4afde5572064ad21bcafcbd622e37c2bb368cee5363
                                  • Instruction Fuzzy Hash: 8D2104719107806BD700B736980A76F7B64E751308F44097EE8491B2E2EB7D5A88CBEF
                                  Function 00416676 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32 ref: 0041667B
                                  • URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166DD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DownloadFileSleep
                                  • String ID: !D@
                                  • API String ID: 1931167962-604454484
                                  • Opcode ID: 05864501e3066f261fa3773e90e58814017deb9033068c5665e3f6f63e0eedc9
                                  • Instruction ID: 05e88009b36717a37a8ab5ea381c0ce1ab0270976c353b8abb87c8adb32aa340
                                  • Opcode Fuzzy Hash: 05864501e3066f261fa3773e90e58814017deb9033068c5665e3f6f63e0eedc9
                                  • Instruction Fuzzy Hash: F21142716083029AC614FF72D8969AE77A4AF50348F400C7FF546531E2EE3C9949C65A
                                  Function 0041B580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocalTime
                                  • String ID: | $%02i:%02i:%02i:%03i
                                  • API String ID: 481472006-2430845779
                                  • Opcode ID: 52f1b42f153ed4b644b91f11fc4c23a59010ae0a013f6087acbd7f2f1f111652
                                  • Instruction ID: 036da7e0cd4114b6fa9428aab3af546923e8b827a5fb64715830670d2b1b9b5a
                                  • Opcode Fuzzy Hash: 52f1b42f153ed4b644b91f11fc4c23a59010ae0a013f6087acbd7f2f1f111652
                                  • Instruction Fuzzy Hash: 091190714082455AC304FB62D8519FFB3E9AB84348F50093FF88AA21E1EF3CDA45C69E
                                  Function 0041ADA8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • PathFileExistsW.SHLWAPI(00000000), ref: 0041ADCD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: alarm.wav$hYG
                                  • API String ID: 1174141254-2782910960
                                  • Opcode ID: f7e91bfaf8b99ac86c10a1af32db07f645763c2e3290c42acfcbd5bd632e7d00
                                  • Instruction ID: 4122455f09fb97d0238bc6f6df8f07100adf7eded08faacdf9dae369850c3b42
                                  • Opcode Fuzzy Hash: f7e91bfaf8b99ac86c10a1af32db07f645763c2e3290c42acfcbd5bd632e7d00
                                  • Instruction Fuzzy Hash: 6401B57078831156CA04F77688166EE77959B80718F00847FF64A162E2EFBC9E59C6CF
                                  Function 0040B08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040B19F: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B1AD
                                    • Part of subcall function 0040B19F: wsprintfW.USER32 ref: 0040B22E
                                    • Part of subcall function 0041B580: GetLocalTime.KERNEL32(00000000), ref: 0041B59A
                                  • CloseHandle.KERNEL32(?), ref: 0040B0EF
                                  • UnhookWindowsHookEx.USER32 ref: 0040B102
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                  • String ID: Online Keylogger Stopped
                                  • API String ID: 1623830855-1496645233
                                  • Opcode ID: 539f72ab5f86f5c342155b2b16da774537cba30e5d1a0a8ca2b311f7dcb13205
                                  • Instruction ID: 2c7fc3a8f12b1f8c565497f75251163d8124a4eac963031352a4caf2a1bdec21
                                  • Opcode Fuzzy Hash: 539f72ab5f86f5c342155b2b16da774537cba30e5d1a0a8ca2b311f7dcb13205
                                  • Instruction Fuzzy Hash: 6F01F530600610ABD7217B35C81B7BE7B729B41304F4004BFE982265C2EBB91856C7DE
                                  Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  • waveInPrepareHeader.WINMM(0056E180,00000020,?,?,00476B50,00474EE0,?,00000000,00401A15), ref: 00401849
                                  • waveInAddBuffer.WINMM(0056E180,00000020,?,00000000,00401A15), ref: 0040185F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: wave$BufferHeaderPrepare
                                  • String ID: XMG
                                  • API String ID: 2315374483-813777761
                                  • Opcode ID: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                  • Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
                                  • Opcode Fuzzy Hash: db4cc151110a5f9a71eb5ce2d7546914e9eb517e880c4322ad0588f055fadbe6
                                  • Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8
                                  Function 0044382C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID: H'V
                                  • API String ID: 269201875-3641000910
                                  • Opcode ID: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                  • Instruction ID: 4a6f060c21597e0392f33703011e6e0157da39883ddad7ec559e06d861eb6f1f
                                  • Opcode Fuzzy Hash: 0435164efccf50aa8117c2daa51ec46fe1437c867187ee89b2aa6ea167946eb6
                                  • Instruction Fuzzy Hash: 64E0E532A0152014F6713A3B6D1665B45C68BC1B3AF22423FF425962C2DFAC8946516E
                                  Function 00448B66 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsValidLocale.KERNEL32(00000000,kKD,00000000,00000001,?,?,00444B6B,?,?,?,?,00000004), ref: 00448BB2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LocaleValid
                                  • String ID: IsValidLocaleName$kKD
                                  • API String ID: 1901932003-3269126172
                                  • Opcode ID: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                  • Instruction ID: c774fcfd7954269485cc3e12fd2bed3330e0a6a7af379781e67d062e13931268
                                  • Opcode Fuzzy Hash: e2be842f2307acef5cef967ff3e72c46beaafbec9f28b2cc6d0622aebebc3446
                                  • Instruction Fuzzy Hash: 9BF05230A80708FBDB016B60DC06FAE7B54CB44B12F10007EFD046B291DE799E0091ED
                                  Function 0040C4FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000), ref: 0040C531
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: UserProfile$\AppData\Local\Google\Chrome\
                                  • API String ID: 1174141254-4188645398
                                  • Opcode ID: 67a37633ad4a3934eb7a9710067efd7b2c9a9b469ed032209e18e61634ff2717
                                  • Instruction ID: 9b0ec594f197676e752fca63164bf20e3c748e9c9f1ad615e42e10c79405690b
                                  • Opcode Fuzzy Hash: 67a37633ad4a3934eb7a9710067efd7b2c9a9b469ed032209e18e61634ff2717
                                  • Instruction Fuzzy Hash: FEF05E30A00219A6CA04BBB69C478AF7B289910759B40017FBA01B21D3EE78994586DD
                                  Function 0040C561 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000), ref: 0040C594
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                                  • API String ID: 1174141254-2800177040
                                  • Opcode ID: 7414731bf553168197ebf71208b97339720711320eac3921dee6b082f9eb1638
                                  • Instruction ID: ebfb9b6c20c42028ef61fa2b9513503d2b9bf0243ac81fc6585c9643e3935da3
                                  • Opcode Fuzzy Hash: 7414731bf553168197ebf71208b97339720711320eac3921dee6b082f9eb1638
                                  • Instruction Fuzzy Hash: F1F05E70A0021AE6CA04BBB69C478EF7B2C9910755B40017BBA01721D3FE7CA94586ED
                                  Function 0040C5C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000), ref: 0040C5F7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExistsFilePath
                                  • String ID: AppData$\Opera Software\Opera Stable\
                                  • API String ID: 1174141254-1629609700
                                  • Opcode ID: 8000172e7e681251177a335894fd2e2a37e3823944c94c6a399ddcaad00f7658
                                  • Instruction ID: 695210f55460e2722832162fecb8267ed9c5d90cd61684e29202a639a57ef244
                                  • Opcode Fuzzy Hash: 8000172e7e681251177a335894fd2e2a37e3823944c94c6a399ddcaad00f7658
                                  • Instruction Fuzzy Hash: 38F05E30A00219D6CA14BBB69C478EF7B2C9950755F1005BBBA01B21D3EE789941C6ED
                                  Function 00443885 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: _free
                                  • String ID: $G
                                  • API String ID: 269201875-4251033865
                                  • Opcode ID: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                  • Instruction ID: 5d396c1abc39b18bdc3e623667384c8b5cce6391ee106473ff554fc58991571d
                                  • Opcode Fuzzy Hash: c3cbfa58486471b9b0b5450975d814376b4bfcef5d9edc52bbd6be3dc13577df
                                  • Instruction Fuzzy Hash: 7CE0E532A0652041F675763B2D05A5B47C55FC2B3AF22033BF028861C1DFEC494A606E
                                  Function 0040B681 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyState.USER32(00000011), ref: 0040B686
                                    • Part of subcall function 0040A41B: GetForegroundWindow.USER32(?,?,004750F0), ref: 0040A451
                                    • Part of subcall function 0040A41B: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A45D
                                    • Part of subcall function 0040A41B: GetKeyboardLayout.USER32(00000000), ref: 0040A464
                                    • Part of subcall function 0040A41B: GetKeyState.USER32(00000010), ref: 0040A46E
                                    • Part of subcall function 0040A41B: GetKeyboardState.USER32(?,?,004750F0), ref: 0040A479
                                    • Part of subcall function 0040A41B: ToUnicodeEx.USER32(00475144,00000000,?,?,00000010,00000000,00000000), ref: 0040A49C
                                    • Part of subcall function 0040A41B: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 0040A4FC
                                    • Part of subcall function 0040A671: SetEvent.KERNEL32(?,?,?,0040B86A,?,?,?,?,?,00000000), ref: 0040A69D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                  • String ID: [AltL]$[AltR]
                                  • API String ID: 2738857842-2658077756
                                  • Opcode ID: 0f70a0069a612ae1fb5ede6b6ff70f96726a9fd1eec0d97551c5347f5f324e5e
                                  • Instruction ID: d407634c764e35d79823ffb94670adf82ecea3c262ef0a09b09082b5b6a355d5
                                  • Opcode Fuzzy Hash: 0f70a0069a612ae1fb5ede6b6ff70f96726a9fd1eec0d97551c5347f5f324e5e
                                  • Instruction Fuzzy Hash: B2E0652171032052C859363D592FABE2D11CB41B64B42097FF842AB7D6DABF4D5543CF
                                  Function 004161C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161E3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ExecuteShell
                                  • String ID: !D@$open
                                  • API String ID: 587946157-1586967515
                                  • Opcode ID: eb4567e96d42521689c96e83ef1aa2a6a7df05ac31277aa5078135f6cb8d6bca
                                  • Instruction ID: 3b2857edeaddefe186f4a0a52e989bb70d7a4cfa1db765b6d796ce97600c5b03
                                  • Opcode Fuzzy Hash: eb4567e96d42521689c96e83ef1aa2a6a7df05ac31277aa5078135f6cb8d6bca
                                  • Instruction Fuzzy Hash: 4AE012712483059AD214EA72DC92EFEB35CAB54755F404C3FF506524E2EF3C5C49C66A
                                  Function 0040B6DB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetKeyState.USER32(00000012), ref: 0040B6E0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: State
                                  • String ID: [CtrlL]$[CtrlR]
                                  • API String ID: 1649606143-2446555240
                                  • Opcode ID: 1d2d80fd5b8c20147d0c6ff4d402c2e3edc42c22dff79285f987829e6048126c
                                  • Instruction ID: b338140f060b4cc34328e336f8905ed3f99262ec5dadafe534bff25dd27afc5e
                                  • Opcode Fuzzy Hash: 1d2d80fd5b8c20147d0c6ff4d402c2e3edc42c22dff79285f987829e6048126c
                                  • Instruction Fuzzy Hash: CFE04F2160072052C5243A7D561A67A2911C7C2764F41057BE9826B7C6DABE891452DF
                                  Function 0040E7DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00434801: __onexit.LIBCMT ref: 00434807
                                  • __Init_thread_footer.LIBCMT ref: 00410F64
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Init_thread_footer__onexit
                                  • String ID: ,kG$0kG
                                  • API String ID: 1881088180-2015055088
                                  • Opcode ID: bf6eaf7ad603c651630b5b847c32adb66bdf614d62153d48efbad85f1494e607
                                  • Instruction ID: 52a075922dd803dc3791164d579436726ad124eb3de8ddc986de269a183bf650
                                  • Opcode Fuzzy Hash: bf6eaf7ad603c651630b5b847c32adb66bdf614d62153d48efbad85f1494e607
                                  • Instruction Fuzzy Hash: A8E0D8315149208EC514B729E542AC53395DB0E324B21907BF014D72D2CBAE78C28E5D
                                  Function 00413A5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040D17F,00000000,004752D8,004752F0,?,pth_unenc), ref: 00413A6C
                                  • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00413A80
                                  Strings
                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A6A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: DeleteOpenValue
                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                  • API String ID: 2654517830-1051519024
                                  • Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                  • Instruction ID: 8a242acd51d06e7ce72e997358fe7bb9804e2c240f13b939b69747d851efcbee
                                  • Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
                                  • Instruction Fuzzy Hash: FFE0C231244208FBEF104FB1DD06FFA7B2CDB01F42F1006A9BA0692192C626CE049664
                                  Function 0041288B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • TerminateProcess.KERNEL32(00000000,pth_unenc,0040F903), ref: 0041289B
                                  • WaitForSingleObject.KERNEL32(000000FF), ref: 004128AE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ObjectProcessSingleTerminateWait
                                  • String ID: pth_unenc
                                  • API String ID: 1872346434-4028850238
                                  • Opcode ID: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                  • Instruction ID: 30425768eaae71e8f6d4d073063fb5581f05561c6d480f36d281b696a9d2b878
                                  • Opcode Fuzzy Hash: a2eb2d9afd673111ff5afcc9fde18e5bb16fff8f446b795bb15600cc5347fa32
                                  • Instruction Fuzzy Hash: DBD01234149312FFD7310F60EE4DB443B589705362F140361F439552F1C7A589D4AB58
                                  Function 0044F38A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CommandLine
                                  • String ID: @)U
                                  • API String ID: 3253501508-3499912770
                                  • Opcode ID: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                  • Instruction ID: 694146ce0b361bd31d1980ce40e18c0a636997d79f12e70286e675221abc8fda
                                  • Opcode Fuzzy Hash: 21ebb353eb9a5e230f63c7dd18cef58b922ecce08ae36afe23ca5bbaac6cd083
                                  • Instruction Fuzzy Hash: CBB04878800753CB97108F21AA0C0853FA0B30820238020B6940A92A21EB7885868A08
                                  Function 00440CE1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D77
                                  • GetLastError.KERNEL32 ref: 00440D85
                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440DE0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ByteCharMultiWide$ErrorLast
                                  • String ID:
                                  • API String ID: 1717984340-0
                                  • Opcode ID: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                  • Instruction ID: 51be13377619d21db21fabe69686c0ed70cae26876ac5a8e773c252addda8789
                                  • Opcode Fuzzy Hash: b039ec4469df985fcedc89be96e173b9c6b75658958c27081834ba59c0289411
                                  • Instruction Fuzzy Hash: 2D412670A00212AFEF218FA5C8447BBBBA4EF41310F2045AAFA59573E1DB399C31C759
                                  Function 00411B9A Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411BC7
                                  • IsBadReadPtr.KERNEL32(?,00000014), ref: 00411C93
                                  • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411CB5
                                  • SetLastError.KERNEL32(0000007E,00411F2B), ref: 00411CCC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4629803570.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.4629788640.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629842842.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629867665.0000000000474000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4629898710.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorLastRead
                                  • String ID:
                                  • API String ID: 4100373531-0
                                  • Opcode ID: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                  • Instruction ID: 65e884089caabfe283b2879acbb60db065d5dd9ad58be7743d127bf22715a70c
                                  • Opcode Fuzzy Hash: 90639ee29dfdd48ecb3f8d3d3319bc7730bab7022ac74643829df8c5f46e8e60
                                  • Instruction Fuzzy Hash: 60419D716443059FEB248F19DC84BA7B3E4FF44714F00082EEA4A876A1F738E845CB99